Clemens Lucas Fries
11-18-2008, 10:31 PM
This issue is fixed with version 3.6.1 (relased on Nov. 14th).
Although I'm four days late I wanted to bring this to the attention of
Openfire administrators.
Quick summary:
It is possible, by using a specially crafted URL, to access the webinterface
of Openfire, bypassing authentication.
Here is the issue: http://www.igniterealtime.org/issues/browse/JM-1489
Here is a posting by 'ktk', quoting the message as it was posted by Andreas
Kurtz on Full Disclosure with some additional information:
http://www.igniterealtime.org/community/message/182518
Although I'm four days late I wanted to bring this to the attention of
Openfire administrators.
Quick summary:
It is possible, by using a specially crafted URL, to access the webinterface
of Openfire, bypassing authentication.
Here is the issue: http://www.igniterealtime.org/issues/browse/JM-1489
Here is a posting by 'ktk', quoting the message as it was posted by Andreas
Kurtz on Full Disclosure with some additional information:
http://www.igniterealtime.org/community/message/182518