Multiple security vulnerabilities in OpenFire server

Hi there,

We found several security vulnerabilities in OpenFire server, and we are not quite sure how to disclose them in a responsible way. What is the correct process ? Is there a way to provide the developers with full details without telling the world ? We searched the web for a dedicated email address or whatever but did not find anything useful.

Some of these vulnerabilities are critical and should be fixed as soon as possible.

Regards,

Damien

Hi, emailing security@igniterealtime.org is the best option.

As i already mentioned in the email, one should check if this report is not duplicating some of the already filed vulnerabilities here [OF-942] Admin Console security improvement - Jive Software Open Source

Would be nice if you could post only ones which are no already reported. And i don’t think these kind of issues should be reported secretly (XSS, CSRF and similar). They are bad, but only if admin is browsing wrong places while logged into Admin Console. And such reports are still attached to the publicly available ticket in the bug tracker.

Hi, I’m the coworker of Damien Cauquil. I’m also the one who discover previous vulnerability of this post.

In order to verify if previous vulnerability were patched, I made some other test and discover other XSS on Openfire version 4.0.0.

I suppose I should use the same process as Damien did (he is not available for some time). I will send a mail to security@igniterealtime.org, with a reference to this message.

Thanks you.

Regards,

Florian