Hello,
It looks like all Openfire versions are affected by a reported vulnerability described below:
**Openfire No-Password-Changes Security Bypass **
A vulnerability has been reported in Openfire, which can be exploited by malicious users to bypass certain security restrictions.
The vulnerability is caused due to Openfire not properly respecting the “no password changes” setting, which can be exploited to change passwords by sending jabber:iq:auth “passwd_change” requests to the server.
CVE-2009-1596
Authentication
High. Exploiting this issue can allow the attacker to gain unauthorized access to the affected application and to completely compromise victims’ accounts.
Moderate. The following example data is sufficient to trigger this issue:
<iq type=‘set’ id=‘passwd_change’>
<query xmlns=‘jabber:iq:auth’>
<username>test2</username>
<password>newillegalychangedpassword</password>
</query>
</iq>
The vendor has released an update:
http://www.igniterealtime.org/projects/openfire/index.jsp
212.8.163.209
Here’s the proof of concept code:
test.user
newillegalychangedpassword
Do you know if there’s any patch available to fix this? If not, we might have to shutdown our corporate server until it’s fixed.
Regards,
Alpha.