powered by Jive Software

Openfire 3.6.4 vulnerabilities

The following url’s can be accessed anonymously . How we can avoid those. Please reply its urgent.

http://xxxxxxxxxxx:9090/images/

http://xxxxxxxxxxxxxx:9090/style/

http://xxxxxxxxxxxxxxx:9090/js/

Since I have yet to get a responce to my post I thought I would at least let you know that you haven’t recieved a reply either!

BUT, this is some good info that I was not aware of. I’m wondering (for a quick fix) if you could change the security and/or permissions on those directories without affecting the Openfire operation?

Good luck!

You can block 9090 port with the firewall, if you are not serving any services through this port.

I don’t think this is a vulnerability since in these public folders there aren’t any private data. They should be accessible by anonymous since they are necessary for the openfire setup (no user isn’t registered at this time) and the login page. If you don’t use the admin console please feel free to block the ports. Maybe we should add an option to allow to provide the admin console only for the localhost loopback device.