Secure Offmeet Web

Ismael · April 21, 2016, 11:41am

Hi all, I have installed and configured Openfire 4.0.2 with Openfire meetings plugin version 0.3.15 and i also integrated it with AD, after creating focus user in AD etc…

Everything is working fine and I wanted to thank you all that had contributed on making this great piece of software possible.

That said I found some issues that I would like to solve. But i will need some help from you.

Issues are:

1.- I want to avoid anonymous users to be able to create meeting rooms.

( Maybe this is already implemented since seems like an old issue https://community.igniterealtime.org/message/238582#comment-238582 )

2.- When i get prompted about user/password on ofmeet web interface if i give openfire admin user but a wrong password then i am granted access to the site. (this seems to me like a great security issue)

But I can’t find how to do that could you please lend me a hand on this?

Thanks in advance.

Dele_Olajide · April 21, 2016, 9:47pm

Q1 Change the room creation permissions in OF using admin web page

http://your-server:9090/muc-create-permission.jsp?mucname=conference

Q2 Are you sure that you are not reusing the cached credentials. Close the browser session completely including the icon on the system tray and try a new login.

Ismael · April 22, 2016, 9:07am

Hi Dele, thanks for your kind and fast answer.

First issue (Q1) is now solved thanks for the tip.

And about (Q2) You must be right since I tested in a different PC to login, one that I’ve never used before and It worked as expected.

So thanks a lot.

Problem solved

I whould like to ask just one more thing if you dont mind

Are you aware of any development for a firefox ofmeet plugin? If so could you give me the link?

If there is no plugin… could it be easy to implement one using crhome plugin?

I would love to help developing one plugin for Firefox since its my default web browser and most people in the world too

Ismael · April 22, 2016, 12:00pm

Hi Dele, after some more testing I found this…

When login in a new PC the behavior is fine as i told you before.

But when login in a PC where the admin has already been loged previously (even if I close the session and close the systray icon) a person can get access to the website only knowing the username since once i get asked for user password puting there the admin user and a wrong password im allowed access to the webpage and even to create any room i want (since this user has room creation privileges).

Maybe It’s something I’m doing wrong? or is it a bug?

Thanks

Dele_Olajide · April 25, 2016, 7:21pm

I have done some some tests and reproduced your described behaviour. From what I have read so far, the last successful credentials are cached and reused by the chrome web browser ignoring whatever you put in the password field. Restarting chrome does not make a difference.

I am still trying to find out how to reset the cache.

Ismael · April 25, 2016, 11:57pm

Hi Dele. Thanks for taking time to test it. Seems to me like a big security issue dont know why chrome keeps caching user credentials if I havent been asked to save them.

Firefox is far more secure browser could you give me some info on a plugin for Firefox? Is there any plugin out there I can use? or any development started that I can help with?

Dele_Olajide · April 29, 2016, 12:47pm

I found it!!!

It was a bug in my code. Expect a fix in version 0.3.20. Thanks so much for discovering this security hole.

Ismael · May 8, 2016, 2:37am

Nice!! Thanks for taking time to fix it. Glad to help, actually I whould love to contribute much more