Spotted during vulnerability assessment with BurpSuite run (v1.6.31), against Openfire v4.0.0 (alpha), with the following plugins installed: Broadcast (v1.9.0), Client Control (v1.2.0) and Monitoring Service (v1.4.7).
Issue remediation
To effectively prevent framing attacks, the application should return a response header with the name X-Frame-Options and the value DENY to prevent framing altogether, or the value SAMEORIGIN to allow framing only by pages on the same origin as the response itself. Note that the SAMEORIGIN header can be partially bypassed if the application itself can be made to frame untrusted websites.
Openfire v4.0.0 (alpha), with the following plugins installed: Broadcast (v1.9.0), Client Control (v1.2.0) and Monitoring Service (v1.4.7).
Fixed by PR 442, now set by an option adminConsole.frame-options which defaults to "deny".
Closing.
Found during 4.1.0 Beta testing to be open for general admin console, but not plugins.