In vulnerability scan result of openfire v4.6.0, find 3 issues.
- Password Hardcoded
\xmppserver\src\test\java\org\jivesoftware\openfire\auth\JDBCAuthProviderTest.java , line 10
\xmppserver\src\test\java\org\jivesoftware\openfire\auth\JDBCAuthProviderTest.java , line 11
\xmppserver\src\test\java\org\jivesoftware\openfire\auth\JDBCAuthProviderTest.java , line 14
\xmppserver\src\test\java\org\jivesoftware\openfire\auth\JDBCAuthProviderTest.java , line 15
\xmppserver\src\test\java\org\jivesoftware\openfire\keystore\OpenfireX509TrustManagerTest.java , line 47
Q>> Would like to confirm those hardcoded passwords are for test purpose. They are no actual use in any authentication.
- Weak Cryptographic Hash
/xmppserver/src/main/java/org/jivesoftware/openfire/auth/AuthFactory.java, line 65
/xmppserver/src/main/java/org/jivesoftware/openfire/auth/DefaultAuthProvider.java, line 288
/xmppserver/src/main/java/org/jivesoftware/openfire/auth/DefaultAuthProvider.java, line 333
/xmppserver/src/main/java/org/jivesoftware/openfire/auth/JDBCAuthProvider.java, line 281
/xmppserver/src/main/java/org/jivesoftware/openfire/sasl/ScramSha1SaslServer.java, line 202
/xmppserver/src/main/java/org/jivesoftware/util/Blowfish.java, line 1509
Q>> Will there be any change to use stronger crypto algorithms other than MD4, MD5, SHA-1 in later version?
- Command Injection
/starter/src/main/java/org/jivesoftware/openfire/launcher/Launcher.java, line 451
/starter/src/main/java/org/jivesoftware/openfire/launcher/Launcher.java, line 438
/starter/src/main/java/org/jivesoftware/openfire/launcher/Launcher.java, line 441
Q>> Will there be any code improvement on this issue in later version?