Hi,
We’ve run into a very serious security issue with openfire. If a user sends an iq:auth request to change his/her password openfire doesn’t verify if the given username belongs to the user sending the request. In other words if user A sends a request to change the password of user B openfire will happily do so.
Reproducing this problem is quite easy.
-
Start an Openfire server
-
Create two user accounts test1 and test2
-
Start Spark with the debug window enabled and log in with the user test1.
-
In the debug window go to the ad-hoc message tab and typ in this stanza
- Openfire wil respond with:
And even worse the test2 user can now only log in with the password “newillegalychangedpassword”.
It’s not hard to fix. If you want, I can sent you a patch.
Cheers,
Erik