OSVDB ID: 54189

Title: Openfire IQAuthHandler.java jabber:iq:auth Crafted passwd_change Request Arbitrary Password Manipulation

Info

Disclosure

May 01, 2009

Discovery

Unknown

Dates

Exploit

Unknown

Solution

May 01, 2009

Description

Openfire contains a flaw that may allow a malicious user to bypass certain security restrictions. The issue is triggered when the 'no password changes' setting is not properly respected by Openfire. It is possible that the flaw may allow a malicious user to change other users' passwords by sending jabber:iq:auth passwd_change requests to the server resulting in a loss of integrity.

Classification

Location: Remote / Network Access
Attack Type: Authentication Management
Impact: Loss of Integrity
Solution: Upgrade
Disclosure: Vendor Verified

Solution

Upgrade to version 3.6.4 or higher, as it has been reported to fix this vulnerability. An upgrade is required as there are no known workarounds.

Products

Jive Software

Openfire

3.6.3

References

CVE ID: 2009-1595 (see also: NVD)
Bugtraq ID: 34804
Secunia Advisory ID: 34976 34984
ISS X-Force ID: 50292
Related OSVDB ID: 54189
Vendor Specific News/Changelog Entry: http://www.igniterealtime.org/builds/openfire/docs/latest/changelog.html
http://www.igniterealtime.org/community/message/190280
http://www.igniterealtime.org/issues/browse/JM-1531
Vendor Specific Solution URL: http://www.igniterealtime.org/downloads/index.jsp
Other Advisory URL: http://www.vupen.com/english/advisories/2009/1237

Credit

Unknown or Incomplete

Direct URL: http://osvdb.org/54189