CVE-2019-18394

Vulnerability

Overview

The FaviconServlet.java in Ignite Realtime Openfire (up to version 4.4.2) suffers from a Server-Side Request Forgery (SSRF) vulnerability. The servlet's doGet method accepts a host parameter and constructs a URL of the form http:///favicon.ico without any validation. It then fetches that URL and returns the response to the requester [1]. This allows an attacker to force the server to make arbitrary HTTP GET requests to any host reachable from the server.

Exploitation

No authentication is required to trigger the vulnerability. The Openfire admin console is often exposed on ports 9090 (HTTP) and 9091 (HTTPS) to external networks [1]. An attacker can craft a request to the FaviconServlet with a host parameter pointing to internal IP addresses (e.g., 127.0.0.1, 10.0.0.1) or other internal services. The server will fetch the favicon from that target and return the full response body, effectively enabling the attacker to read internal web pages and probe internal services [1].

Impact

This SSRF vulnerability allows an unauthenticated attacker to perform reconnaissance of internal networks, access internal web applications, and potentially retrieve sensitive information from services that are not intended to be exposed externally. The response is returned in full, making it a full-read SSRF [1].

Mitigation

The vulnerability has been fixed in commit c2ccb38 [2]. The fix adds a check to ensure that the response from the fetched URL is actually an image before returning it, preventing the disclosure of non-image content. Users should upgrade to a patched version of Openfire. The issue is tracked as OF-1885 [2] and is documented in the NVD entry [4].