Facebook Google Plus Twitter LinkedIn YouTube RSS Menu Search Resource - BlogResource - WebinarResource - ReportResource - Eventicons_066 icons_067icons_068icons_069icons_070

Openfire < 3.6.4 Arbitrary Password Manipulation

Medium

Synopsis

The remote server can be tricked into modifying user credentials

Description

The remote host is running Openfire / Wildfire, an instant messaging server supporting the XMPP protocol. According to its version, the installation of Openfire or Wildfire is affected by a vulnerability which would allow a remote attacker to change the password of any users. In particular, input sent to the 'passwd_change' parameter of the jabber: iq: auth routine is not sufficiently sanitized. An attacker, exploiting this flaw, would be able to gain access to any user account.

Solution

Upgrade to Openfire version 3.6.4 or later.