Authentication bypass allowing arbitrary code execution

Description

There was a posting on Full-disclosure today about various security issues in OpenFire, I quote from the original posting by Andreas Kurtz.

The text of that posting is attached to this issue. The first issue was confirmed in this thread.

That authentication bypass allowes access to admin console. An attacker could install / upload his own plugin, which allows arbitrary code execution with rights of openfire, including access to file system and database.

For second vulnerability see JM-1488.
The third is probably already fixed: JM-629.

Environment

None

Activity

Show:
Gaston Dombiak
November 15, 2008, 7:10 AM

Reported problem has been fixed. Lets do the release now since known issues have been solved. If more things are found we can fix them in the next release.

Fixed
Your pinned fields
Click on the next to a field label to start pinning.

Assignee

MattM

Reporter

Martin Weusten