CVE-2019-18393

Vulnerability

Description CVE-2019-18393 is a directory traversal vulnerability in Ignite Realtime Openfire, affecting versions through 4.4.2 [1]. The flaw resides in PluginServlet.java, which fails to validate that retrieved files are located under the Openfire home directory [2]. This allows an attacker to request arbitrary files from the host filesystem by manipulating the file path parameter.

Exploitation

An attacker can exploit this vulnerability by sending specially crafted HTTP requests to the PluginServlet, traversing directory paths to access files outside the intended scope [1][2]. The attacker must be authenticated to reach the PluginServlet, as it is part of the administrative console [3]. No additional privileges beyond a valid user session are required to trigger the directory traversal.

Impact

Successful exploitation enables an attacker to read sensitive files on the server, such as configuration files containing database credentials, private keys, or user data [1][2]. Since Openfire is often deployed in enterprise environments and exposed to the internet, this could lead to further compromise of the XMPP messaging infrastructure [3].

Mitigation

The vendor addressed the vulnerability in commit cb900749d4e836b32cc6e2cc41cda17f252b977d [4]. The fix introduces a system property plugins.servlet.allowLocalFileReading set to false by default, which disallows access to files outside Openfire's home directory [2][4]. Users should upgrade to a patched version or set this property explicitly in openfire.xml as a defense-in-depth measure.