Openfire < 3.6.4 Arbitrary Password Manipulation
Medium Nessus Network Monitor Plugin ID 5018
SynopsisThe remote server can be tricked into modifying user credentials
DescriptionThe remote host is running Openfire / Wildfire, an instant messaging server supporting the XMPP protocol. According to its version, the installation of Openfire or Wildfire is affected by a vulnerability which would allow a remote attacker to change the password of any users. In particular, input sent to the 'passwd_change' parameter of the jabber: iq: auth routine is not sufficiently sanitized. An attacker, exploiting this flaw, would be able to gain access to any user account.
SolutionUpgrade to Openfire version 3.6.4 or later.