We've run into a very serious security issue with openfire. If a user sends an iq:auth request to change his/her password openfire doesn't verify if the given username belongs to the user sending the request. In other words if user A sends a request to change the password of user B openfire will happily do so.
Reproducing this problem is quite easy.
- Start an Openfire server
- Create two user accounts test1 and test2
- Start Spark with the debug window enabled and log in with the user test1.
- In the debug window go to the ad-hoc message tab and typ in this stanza
<iq type='set' id='passwd_change'>
- Openfire wil respond with:
<iq type="result" id="passwd_change" to="firstname.lastname@example.org/spark"/>
And even worse the test2 user can now only log in with the password "newillegalychangedpassword".
It's not hard to fix. If you want, I can sent you a patch.
here is openfire trunk with the patch above applied binary:
No need for this with 3.6.4 out the door
Message was edited by: Daryl Herzmann