Hi,

We've run into a very serious security issue with openfire. If a user sends an iq:auth request to change his/her password openfire doesn't verify if the given username belongs to the user sending the request. In other words if user A sends a request to change the password of user B openfire will happily do so.

Reproducing this problem is quite easy.

- Start an Openfire server

- Create two user accounts test1 and test2

- Start Spark with the debug window enabled and log in with the user test1.

- In the debug window go to the ad-hoc message tab and typ in this stanza

<iq type='set' id='passwd_change'>
     <query xmlns='jabber:iq:auth'>
     <username>test2</username>
     <password>newillegalychangedpassword</password>
     </query>
</iq>

- Openfire wil respond with:

<iq type="result" id="passwd_change" to="test1@ourxmppdomain.foo/spark"/>

And even worse the test2 user can now only log in with the password "newillegalychangedpassword".

It's not hard to fix. If you want, I can sent you a patch.

Cheers,

Erik