|
blocker needs to block a release.
Posted a possible fix in forum:
http://www.igniterealtime.org/community/thread/35874?start=15&tstart=0  I've linked the other JIRA issues that relate to the same security advisory to this JIRA issue.
Guus and I worked on a patch for this. This will require changes to several plugins which exclude themself from AuthCheckFilter. I think we will discuss this on the community chat shortly.
diff -r -C 4 openfire_src_3_6_0/src/java/org/jivesoftware/admin/AuthCheckFilter.java openfire_patch_3_6_0a/src/java/org/jivesoftware/admin/AuthCheckFilter.java
*** openfire_src_3_6_0/src/java/org/jivesoftware/admin/AuthCheckFilter.java 2008-08-29 06:13:22.000000000 +0200
--- openfire_patch_3_6_0a/src/java/org/jivesoftware/admin/AuthCheckFilter.java 2008-11-12 16:53:18.000000000 +0100
***************
*** 77,94 ****
String loginPage = defaultLoginPage;
if (loginPage == null) {
loginPage = request.getContextPath() + "/login.jsp";
}
// Get the page we're on:
! String url = request.getRequestURL().toString();
// See if it's contained in the exclude list. If so, skip filter execution
! boolean doExclude = false;
! for (String exclude : excludes) {
! if (url.indexOf(exclude) > -1) {
! doExclude = true;
! break;
! }
! }
if (!doExclude) {
WebManager manager = new WebManager();
manager.init(request, response, request.getSession(), context);
if (manager.getUser() == null) {
--- 77,90 ----
String loginPage = defaultLoginPage;
if (loginPage == null) {
loginPage = request.getContextPath() + "/login.jsp";
}
+
// Get the page we're on:
! String srvpath = request.getServletPath();
// See if it's contained in the exclude list. If so, skip filter execution
! boolean doExclude = XMPPServer.getInstance().isSetupMode() || excludes.contains(srvpath);
!
if (!doExclude) {
WebManager manager = new WebManager();
manager.init(request, response, request.getSession(), context);
if (manager.getUser() == null) {
diff -r -C 4 openfire_src_3_6_0/src/web/index.jsp openfire_patch_3_6_0a/src/web/index.jsp
*** openfire_src_3_6_0/src/web/index.jsp 2008-08-29 06:13:17.000000000 +0200
--- openfire_patch_3_6_0a/src/web/index.jsp 2008-11-12 16:49:22.000000000 +0100
***************
*** 53,60 ****
--- 53,68 ----
<%-- Define Administration Bean --%>
<jsp:useBean id="webManager" class="org.jivesoftware.util.WebManager" />
<% webManager.init(request, response, session, application, out); %>
+ <%-- Check if in setup mode --%>
+ <%
+ if (webManager.isSetupMode()) {
+ response.sendRedirect("setup/index.jsp");
+ return;
+ }
+ %>
+
<%! long lastRRSFecth = 0;
SyndFeed lastBlogFeed = null;
SyndFeed lastReleaseFeed = null;
String blogFeedRSS = "http://www.igniterealtime.org/community/blogs/ignite/feeds/posts";
diff -r -C 4 openfire_src_3_6_0/src/web/WEB-INF/web.xml openfire_patch_3_6_0a/src/web/WEB-INF/web.xml
*** openfire_src_3_6_0/src/web/WEB-INF/web.xml 2008-08-29 06:13:17.000000000 +0200
--- openfire_patch_3_6_0a/src/web/WEB-INF/web.xml 2008-11-12 16:57:05.000000000 +0100
***************
*** 23,31 ****
<filter-class>org.jivesoftware.admin.AuthCheckFilter</filter-class>
<init-param>
<param-name>excludes</param-name>
<param-value>
! login.jsp,index.jsp?logout=true,setup/index.jsp,setup/setup-,.gif,.png,error-serverdown.jsp,setup/clearspace-integration-prelogin.jsp
</param-value>
</init-param>
</filter>
--- 23,31 ----
<filter-class>org.jivesoftware.admin.AuthCheckFilter</filter-class>
<init-param>
<param-name>excludes</param-name>
<param-value>
! /login.jsp
</param-value>
</init-param>
</filter>
I checked in a comprehensive fix to this issue today. Existing behavior is supported, except that exclude rules like the setup rule must now include a wildcard at the end. We are doing some more comprehensive testing of the fix but so far all looks good. Look for a release very soon.
I would not call
http://www.igniterealtime.org/fisheye/browse/svn-org/openfire/trunk/src/java/org/jivesoftware/admin/AuthCheckFilter.java?r1=10204&r2=10870 'comprehensive'. Adding this kind of convoluted matching code to a security-related code path is no good. Also, I think it's broken: Add This bug is still not solved!!!
This does still return the content of info.log without auth: echo "GET /setup/setup-/%2E%2E/%2E%2E/log.jsp?log=info&mode=asc&lines=All" | nc localhost 9090
reopening, cuz I have the power to do so for now
 Fixes can only ever be as comprehensive as the tests.
Thanks guys for pointing out more error cases. I'm about to check in logic that checks for %2E.
We don't like having complex code either. Another approach I've seen is adding an annotation to actions/JSP pages that indicates what kind of access checking should be done. That's probably a better approach since it's very explicit, but isn't a super quick fix. So, I'd rather go with this approach for now if we believe we can catch all the cases. There's an AuthCheckFilterTest class where we've been adding to. If you guys can think of more cases, let's add them there. I'll leave this issue open for now.
What about the fix from Guus and me I posted above? Reported problem has been fixed. Lets do the release now since known issues have been solved. If more things are found we can fix them in the next release.
|
||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||
 |
|
Bug
Closed
Blocker
Authentication bypass allowing arbitrary code execution
Workaround for Linux systems
ssh -L 9091:localhost:9091 username@yourserver.org
You can access to Admin console now via https://localhost:9091/
This should be safe.
Workaround using Apache
RewriteRule ^/admin/(.*) http://localhost:9090/$1