Openfire Admin Console allows brute force login.
It MUST implement some security verifications and listeners that monitors login attempts.
Limit login attempts per IP in a time period.
Limit login attempts in a time period.
Test Cases ( Optional )
perhaps a simple delaying the error msg would sufficant ... so bruteforce takes really long .. (0.5 or 1 sec should be enough)
An day has 86400 seconds. A week 604800. I don't think that it's sufficient. In 3 months it's very easy to get in. I don't think admins change admin password every month. Or at least we MUST not trust in it.
This is a Best Pratices issue.
Adding a random delay of 1-3 seconds is never a fault if the password is wrong before returning an error.
An option to limit the remote addresses (e.g. 10.0.0.0/24 or *.dialin.provider.com) would help a lot.