Security Issue in latest Openfire 4.7.5 (Admin account take over)

Openfire Plugins
,
1

Hey Openfire Team,

I have found a major issue in latest openfire 4.7.5.

Admin account take over via openfire rest api.

Step to reproduce this issue :

  1. Open openfire admin panel via admin credentials
  2. Click on server → Server Settings → RestAPI → Secret key
  3. Secret is required to create normal user account as well. So incase any mobile application have a functionality to create user account then secret key must be present for account creation API call.
  4. Now simply copy this secret key (either via mobile app or any client).
  5. Open postman and post {baseurl}/plugins/restapi/v1/system/properties

With following headers :

Accept : application/json
Authorization : Your Secret Key

And with following body (json)

{
  “key” : “admin.authorizasJIDs”,
  “value” : “UserYouWantToMakeAdmin@HostedServerDomain/IP”
}

Now just post this request and you are done!
Now original admin won’t able to access openfire panel and the account you just sent via request will become the admin!

I am adding screenshots as well for more details

IMG_3556
IMG_3556895×673 20.4 KB

2

IMG_3555
IMG_3555891×621 16.7 KB

3

Thanks for taking the time to report this!

For future reference: it is preferable to disclose a vulnerability in a way that’s not as public as this forum is. We have set up a way to report security issues. You can find more information here: https://discourse.igniterealtime.org/t/ignite-realtime-security-information/

What you’ve reported is not so much a security vulnerability in the REST API, as it is in the way you have used the REST API in your product. The REST API exposes system administration functionality. It allows its users to read from and apply changes to core parts of Openfire.

What the REST API is not intended for, is to be used by end-users directly! The REST API should be treated as an administrative interface. Credentials used for its access should not be embedded in chat clients! Ideally, access to the REST API endpoints should be limited (through access control lists / firewall rules) to very specific systems that are allowed to interact with it.