Uploaded image for project: 'Openfire'
  1. Openfire
  2. OF-1110

CVE-2009-1595 Prevent users from changing other users passwords

    XMLWordPrintable

    Details

    • Type: Bug
    • Status: Closed
    • Priority: Blocker
    • Resolution: Fixed
    • Affects Version/s: None
    • Fix Version/s: 3.6.4
    • Component/s: Core
    • Labels:
      None

      Description

      http://www.igniterealtime.org/community/message/190280

      We've run into a very serious security issue with openfire. If a user sends an iq:auth request to change his/her password openfire doesn't verify if the given username belongs to the user sending the request. In other words if user A sends a request to change the password of user B openfire will happily do so.

      Reproducing this problem is quite easy.

      • Start an Openfire server
      • Create two user accounts test1 and test2
      • Start Spark with the debug window enabled and log in with the user test1.
      • In the debug window go to the ad-hoc message tab and typ in this stanza

      <iq type='set' id='passwd_change'>
      <query xmlns='jabber:iq:auth'>
      <username>test2</username>
      <password>newillegalychangedpassword</password>
      </query>
      </iq>

      • Openfire wil respond with:

      <iq type="result" id="passwd_change" to="test1@ourxmppdomain.foo/spark"/>

      And even worse the test2 user can now only log in with the password "newillegalychangedpassword".

      It's not hard to fix. If you want, I can sent you a patch.

      Cheers,

      Erik

        Attachments

          Activity

            People

            Assignee:
            gaston Gaston Dombiak
            Reporter:
            akrherz Daryl Herzmann
            Votes:
            3 Vote for this issue
            Watchers:
            5 Start watching this issue

              Dates

              Created:
              Updated:
              Resolved: