We're updating the issue view to help you get more done. 

Authentication bypass allowing arbitrary code execution

Description

There was a posting on Full-disclosure today about various security issues in OpenFire, I quote from the original posting by Andreas Kurtz.

The text of that posting is attached to this issue. The first issue was confirmed in this thread.

That authentication bypass allowes access to admin console. An attacker could install / upload his own plugin, which allows arbitrary code execution with rights of openfire, including access to file system and database.

For second vulnerability see JM-1488.
The third is probably already fixed: JM-629.

Environment

None

Acceptance Test - Entry

None

Activity

Show:
Martin Weusten
November 14, 2008, 9:52 PM

This bug is still not solved!!!

This does still return the content of info.log without auth:

Daryl Herzmann
November 14, 2008, 10:01 PM

reopening, cuz I have the power to do so for now

MattM
November 15, 2008, 2:02 AM

Fixes can only ever be as comprehensive as the tests. Thanks guys for pointing out more error cases. I'm about to check in logic that checks for %2E.

We don't like having complex code either. Another approach I've seen is adding an annotation to actions/JSP pages that indicates what kind of access checking should be done. That's probably a better approach since it's very explicit, but isn't a super quick fix. So, I'd rather go with this approach for now if we believe we can catch all the cases.

There's an AuthCheckFilterTest class where we've been adding to. If you guys can think of more cases, let's add them there. I'll leave this issue open for now.

Martin Weusten
November 15, 2008, 2:54 AM

We don't like having complex code either. Another approach I've seen is adding an annotation to actions/JSP pages that indicates what kind of access checking should be done.

What about the fix from Guus and me I posted above?

Gaston Dombiak
November 15, 2008, 7:10 AM

Reported problem has been fixed. Lets do the release now since known issues have been solved. If more things are found we can fix them in the next release.

Assignee

MattM

Reporter

Martin Weusten

Labels

None

Expected Effort

None

Ignite Forum URL

None

Components

Fix versions

Affects versions

Priority

Blocker
Configure