Possible to change another user's password

Erik_Hoogeveen · April 14, 2009, 8:16am

Hi,

We’ve run into a very serious security issue with openfire. If a user sends an iq:auth request to change his/her password openfire doesn’t verify if the given username belongs to the user sending the request. In other words if user A sends a request to change the password of user B openfire will happily do so.

Reproducing this problem is quite easy.

Start an Openfire server
Create two user accounts test1 and test2
Start Spark with the debug window enabled and log in with the user test1.
In the debug window go to the ad-hoc message tab and typ in this stanza

test2 newillegalychangedpassword

Openfire wil respond with:

And even worse the test2 user can now only log in with the password “newillegalychangedpassword”.

It’s not hard to fix. If you want, I can sent you a patch.

Cheers,

Erik

akrherz · April 14, 2009, 1:51pm

Hi Erik,

Thanks for reporting this, please send a patch.

daryl

Erik_Hoogeveen · April 14, 2009, 1:59pm

Here is the patch to fix this issue
IQAuthHandler_Patch.txt (2005 Bytes)

akrherz · April 14, 2009, 2:05pm

http://www.igniterealtime.org/issues/browse/JM-1531

akrherz · April 14, 2009, 2:39pm

Sweet,

You can use this to set the admin user’s password on the server and then log in on the console.

daryl

akrherz · April 14, 2009, 2:47pm

Sweet,

You can even change the password when the server is setup to not allow password changes.

daryl

akrherz · April 14, 2009, 3:16pm

Hi,

here is openfire trunk with the patch above applied binary:

[delete]

No need for this with 3.6.4 out the door

daryl

Message was edited by: Daryl Herzmann

Martin_Weusten · April 14, 2009, 5:10pm

@Daryl Herzmann: Thank for your custom build. Works for me.

Darian_Anthony_Patri · April 15, 2009, 2:01am

Nice work Erik. Thanks for reporting this. Jive people, how soon can we expect to see an official release?

wroot · April 15, 2009, 3:59am

Daryl, your patch is only for a 64-bit OS?

I think somebody has already PMed this to Gato/Matt?

wroot · April 15, 2009, 5:30am

Btw, is this patch fixing the other issue, that Openfire is not obeying the option to not let users to change their passwords? Or should we file another ticket for that?

Martin_Weusten · April 15, 2009, 8:56am

Daryl, your patch is only for a 64-bit OS?
I think Java does not make differences there. It’s running on 32bit CentOS 5.3 here.

wroot · April 15, 2009, 10:00am

I thought so So i will replace it in my server today and will check my second question.

akrherz · April 15, 2009, 11:14am

Hi,

I did not write the patch. Yes, I let gato and matt know. They confirmed that it would be fixed asap.

daryl

akrherz · April 15, 2009, 11:32am

Good point, JM-1532

wroot · April 29, 2009, 12:25pm

They confirmed that it would be fixed asap.

So, i was right to apply the community patch. Jive’s “asap” can take ages…