[Operators] Openfire security issue; admin console authentication bypass (fixed in 3.6.1)

Clemens Lucas Fries xmpp at xenoworld.de
Tue Nov 18 15:30:20 CST 2008


This issue is fixed with version 3.6.1 (relased on Nov. 14th).
Although I'm four days late I wanted to bring this to the attention of 
Openfire administrators.

Quick summary:
It is possible, by using a specially crafted URL, to access the webinterface 
of Openfire,  bypassing authentication.

Here is the issue: http://www.igniterealtime.org/issues/browse/JM-1489
Here is a posting by 'ktk', quoting the message as it was posted by Andreas 
Kurtz on Full Disclosure with some additional information: 
http://www.igniterealtime.org/community/message/182518




More information about the Operators mailing list