We're updating the issue view to help you get more done. 

Admin console (XSS) vulnerability lets attacker change admin password or create new admin

Description

From http://1337day.com/exploits/21338:

This expoit use multiple vulnerabilites in Openfire.
Openfire admin must visit exploit link.
Attacker can create new admin or change admin password.

But there is no real exploit code example except of the paid one.

Environment

None

Acceptance Test - Entry

None

Activity

Show:
Tom Evans
April 16, 2014, 4:40 PM

Yes, the pending pull request addresses part of the documented vulnerability (XSS). I have reviewed it, and will merge it into the master before the 3.9.2 release is shipped.

Tom Evans
April 16, 2014, 7:21 PM

FYI related to WIP on admin console CSRF vulnerabilities: http://community.igniterealtime.org/message/238263

Tom Evans
April 17, 2014, 5:04 PM

This issue is partially resolved (XSS vulnerabilities) with the merge of pull request #1 into master.

A fix for the CSRF vulnerabilities is still pending.

Daryl Herzmann
April 30, 2014, 5:43 PM

Moving unfixed 3.9.2 issues to 3.9.3 for consideration.

Daryl Herzmann
April 30, 2014, 8:07 PM

cloned for the CSRF work

Assignee

Tom Evans

Reporter

wroot

Labels

Expected Effort

None

Ignite Forum URL

None

Components

Fix versions

Affects versions

Priority

Major
Configure