This script is Copyright (C) 2008-2016 Tenable Network Security, Inc.
The remote FreeBSD host is missing a security-related update.
Andreas Kurtz reports :
The jabber server Openfire (<= version 3.6.0a) contains several
serious vulnerabilities. Depending on the particular runtime
environment these issues can potentially even be used by an attacker
to execute code on operating system level.
- Authentication bypass - This vulnerability provides an attacker full
access to all functions in the admin webinterface without providing
any user credentials. The Tomcat filter which is responsible for
authentication could be completely circumvented.
- SQL injection - It is possible to pass SQL statements to the backend
database through a SQL injection vulnerability. Depending on the
particular runtime environment and database permissions it is even
possible to write files to disk and execute code on operating system
- Multiple Cross-Site Scripting - Permits arbitrary insertion of HTML-
parameter to specify a destination to which a user will be forwarded
to after successful authentication.
See also :
Update the affected package.
Risk factor :
High / CVSS Base Score : 7.5
Public Exploit Available : true
Family: FreeBSD Local Security Checks
Nessus Plugin ID: 34839 (freebsd_pkg_937adf01b64a11dda55e00163e000016.nasl)
Get Nessus Professional to scan unlimited IPs, run compliance checks & moreBuy Nessus Professional Now