[Operators] Openfire security issue; admin console authentication bypass (fixed in 3.6.1)
Clemens Lucas Fries
xmpp at xenoworld.de
Tue Nov 18 15:30:20 CST 2008
This issue is fixed with version 3.6.1 (relased on Nov. 14th).
Although I'm four days late I wanted to bring this to the attention of
Openfire administrators.
Quick summary:
It is possible, by using a specially crafted URL, to access the webinterface
of Openfire, bypassing authentication.
Here is the issue: http://www.igniterealtime.org/issues/browse/JM-1489
Here is a posting by 'ktk', quoting the message as it was posted by Andreas
Kurtz on Full Disclosure with some additional information:
http://www.igniterealtime.org/community/message/182518
More information about the Operators
mailing list