Details
Bug
Closed
Blocker
Description
http://www.igniterealtime.org/community/message/190280
We've run into a very serious security issue with openfire. If a user sends an iq:auth request to change his/her password openfire doesn't verify if the given username belongs to the user sending the request. In other words if user A sends a request to change the password of user B openfire will happily do so.
Reproducing this problem is quite easy.
- Start an Openfire server
- Create two user accounts test1 and test2
- Start Spark with the debug window enabled and log in with the user test1.
- In the debug window go to the ad-hoc message tab and typ in this stanza
<iq type='set' id='passwd_change'>
<query xmlns='jabber:iq:auth'>
<username>test2</username>
<password>newillegalychangedpassword</password>
</query>
</iq>
- Openfire wil respond with:
<iq type="result" id="passwd_change" to="test1@ourxmppdomain.foo/spark"/>
And even worse the test2 user can now only log in with the password "newillegalychangedpassword".
It's not hard to fix. If you want, I can sent you a patch.
Cheers,
Erik
not the patch uses Java 6 specific syntax:
String.isEmpty() is a new Java 6 method. If you want to retain 1.5 compatibility that needs to be:
String.lenght() == 0