powered by Jive Software

Open fire security issues (sending username in url)


#1

We are using the open fire 4.0.2 as chat server. Open fire provides following url to consume the chat data for a user but our as a part of url it accepts username in url.

https://localhost:8080/http-bind/?jid=siadmin_000000000000001

In this URL the following sensitive information was found: username . our security team has raised the issue that Information in the URL may be be stored in various locations such as web server logs, browser history, bookmarks, the referer header, or even search engine results and increases the risk of disclosure to an attacker. Can you support sending the username in the request body instead of URL. Please let us know if we can do it or when there is any plan to fix it


#2

Are you positive this is not coming from the client side?


#3

Yes it is coming from the client . just wanted to know if openfire supports or allows to send the jid via request header instead of URL


#4

Openfire does not require any of this, to my knowledge. The JID is always embedded within the actual XML payload stanzas.