Skip to:

  1. Skip to Jira Navigation
  2. Skip to Side Navigation
  3. Skip to Main Content

Bind admin console to loopback interface by default

Description

Openfire can be configured to bind the admin console webserver to a specific network interface.

Openfire should, by default, bind only to the loopback interface (but binds to all interfaces).

Note that various web-based functionality might piggy-back on this server. The REST-API plugin is an example of this. An inventory must be made to find all affected implementation

A solution must be defined for these, which might involve:

  • Reimplementation to use their own webserver, instead of reusing the Admin Console one

  • Document that a configuration change is needed to expose functionality on an external network interface.

This change should only go in the main branch of the private temporary fork of Openfire that is used to address this vulnerability.

Environment

None

Activity

Show:

Guus der Kinderen 
January 13, 2024 at 7:21 PM

Binding behavior can be configure in openfire.xml by setting an XML element <adminConsole><interface>127.0.0.1</interface></adminConsole> (which is specific to the admin console) or <network><interface>127.0.0.1</interface></network> which is applied also to other network interaction. The absence of both makes Openfire bind to all network interfaces.

With this ticket now resolved, the default value for adminConsole now uses 127.0.0.1 which limits the admin console to that network interface (where prior to this change, nothing was defined, making the admin console available on all interfaces).

Daniel Jackson 
May 17, 2023 at 11:07 AM

Introduced a checkbox in the setup (default checked) to restrict the admin console network interface binding to '127.0.0.1' meaning only requests from localhost will be received. This will have implications for some plugins in the ecosystem such as the restApi plugin, which uses the same network interface binding as the admin console.

The adminConsole.interface property can be modified in the `openfire.xml` configuration after the initial setup and will take affect upon server reboot.

This change will only effect future versions of Openfire (4.8.0)

Done

Details

Assignee

Reporter

Fix versions

Priority

Created May 9, 2023 at 5:39 PM
Updated January 13, 2024 at 7:21 PM
Resolved May 17, 2023 at 11:07 AM

Flag notifications