Prevent users from changing other users passwords

Details

Type: Bug
Status: Closed
Priority: Blocker
Resolution: Fixed
Affects Version/s: 3.6.3
Fix Version/s: 3.6.4
Component/s: Core
Labels:
None

Acceptance Test - Add?:
No

Description

http://www.igniterealtime.org/community/message/190280

We've run into a very serious security issue with openfire. If a user sends an iq:auth request to change his/her password openfire doesn't verify if the given username belongs to the user sending the request. In other words if user A sends a request to change the password of user B openfire will happily do so.

Reproducing this problem is quite easy.

Start an Openfire server

Create two user accounts test1 and test2

Start Spark with the debug window enabled and log in with the user test1.

In the debug window go to the ad-hoc message tab and typ in this stanza

<iq type='set' id='passwd_change'>
<query xmlns='jabber:iq:auth'>
<username>test2</username>
<password>newillegalychangedpassword</password>
</query>
</iq>

Openfire wil respond with:

And even worse the test2 user can now only log in with the password "newillegalychangedpassword".

It's not hard to fix. If you want, I can sent you a patch.

Cheers,

Erik

Options
- Sort By Name
- Sort By Date
- Ascending
- Descending
- Download All

Attachments

IQAuthHandler_Patch.txt

04/14/09 02:05 PM

2 kB

Daryl Herzmann

Activity

Hide

Permalink

David Horwitz added a comment - 04/15/09 07:10 AM

not the patch uses Java 6 specific syntax:

String.isEmpty() is a new Java 6 method. If you want to retain 1.5 compatibility that needs to be:

String.lenght() == 0

Show

David Horwitz added a comment - 04/15/09 07:10 AM not the patch uses Java 6 specific syntax: String.isEmpty() is a new Java 6 method. If you want to retain 1.5 compatibility that needs to be: String.lenght() == 0

People

Assignee:

Gaston Dombiak

Reporter:

Daryl Herzmann

Vote (3)

Watch (5)

Dates

Created:

04/14/09 02:05 PM

Updated:

05/01/09 08:44 PM

Resolved:

05/01/09 08:44 PM