A malicious user to set the packet's from attribute to be whatever value they choose and Openfire does not enforce this value to be correct when using HTTP binding.