Up to Discussions in Openfire Dev

This Question is Possibly Answered

1 "correct" answer available (10 pts) 2 "helpful" answers available (5 pts)
6,400 Views 15 Replies Last post: Apr 29, 2009 5:25 AM by wroot RSS
erikhh Bronze
erikhh
2 posts since
Apr 14, 2009
Currently Being Moderated

Apr 14, 2009 1:16 AM

Possible to change another user's password

Hi,

 

We've run into a very serious security issue with openfire. If a user sends an iq:auth request to change his/her password openfire doesn't verify if the given username belongs to the user sending the request. In other words if user A sends a request to change the password of user B openfire will happily do so.

 

Reproducing this problem is quite easy.

- Start an Openfire server

- Create two user accounts test1 and test2

- Start Spark with the debug window enabled and log in with the user test1.

- In the debug window go to the ad-hoc message tab and typ in this stanza

<iq type='set' id='passwd_change'>
     <query xmlns='jabber:iq:auth'>
     <username>test2</username>
     <password>newillegalychangedpassword</password>
     </query>
</iq>

 

- Openfire wil respond with:

<iq type="result" id="passwd_change" to="test1@ourxmppdomain.foo/spark"/>

 

And even worse the test2 user can now only log in with the password "newillegalychangedpassword".

 

It's not hard to fix. If you want, I can sent you a patch.

 

Cheers,

Erik

Daryl Herzmann KeyContributor
Daryl Herzmann
784 posts since
Mar 12, 2005
Currently Being Moderated
Apr 14, 2009 6:51 AM in response to: erikhh
Re: Possible to change another user's password

Hi Erik,

 

Thanks for reporting this, please send a patch.

 

daryl

erikhh Bronze
erikhh
2 posts since
Apr 14, 2009
Currently Being Moderated
Apr 14, 2009 6:59 AM in response to: Daryl Herzmann
Re: Possible to change another user's password

Here is the patch to fix this issue

Attachments:
Daryl Herzmann KeyContributor
Daryl Herzmann
784 posts since
Mar 12, 2005
Currently Being Moderated
Apr 14, 2009 7:05 AM in response to: erikhh
Re: Possible to change another user's password

http://www.igniterealtime.org/issues/browse/ JM-1531

Daryl Herzmann KeyContributor
Daryl Herzmann
784 posts since
Mar 12, 2005
Currently Being Moderated
Apr 14, 2009 7:39 AM in response to: Daryl Herzmann
Re: Possible to change another user's password

Sweet,

 

You can use this to set the admin user's password on the server and then log in on the console.

 

daryl

Daryl Herzmann KeyContributor
Daryl Herzmann
784 posts since
Mar 12, 2005
Currently Being Moderated
Apr 14, 2009 7:47 AM in response to: Daryl Herzmann
Re: Possible to change another user's password

Sweet,

 

You can even change the password when the server is setup to not allow password changes.

 

daryl

Daryl Herzmann KeyContributor
Daryl Herzmann
784 posts since
Mar 12, 2005
Currently Being Moderated
May 1, 2009 4:56 PM in response to: Daryl Herzmann
Re: Possible to change another user's password

Hi,

 

here is openfire trunk with the patch above applied binary:

 

[delete]

 

No need for this with 3.6.4 out the door

 

daryl

 

Message was edited by: Daryl Herzmann

Coolcat KeyContributor
Coolcat
793 posts since
Mar 19, 2007
Currently Being Moderated
Apr 14, 2009 10:10 AM in response to: Daryl Herzmann
Re: Possible to change another user's password

@Daryl Herzmann: Thank for your custom build. Works for me.

wroot KeyContributor
wroot
4,930 posts since
Jan 24, 2005
Currently Being Moderated
Apr 14, 2009 8:59 PM in response to: Daryl Herzmann
Re: Possible to change another user's password

Daryl, your patch is only for a 64-bit OS?

 

I think somebody has already PMed this to Gato/Matt?

wroot KeyContributor
wroot
4,930 posts since
Jan 24, 2005
Currently Being Moderated
Apr 14, 2009 10:30 PM in response to: wroot
Re: Possible to change another user's password

Btw, is this patch fixing the other issue, that Openfire is not obeying the option to not let users to change their passwords? Or should we file another ticket for that?

Coolcat KeyContributor
Coolcat
793 posts since
Mar 19, 2007
Currently Being Moderated
Apr 15, 2009 1:56 AM in response to: wroot
Re: Possible to change another user's password
Daryl, your patch is only for a 64-bit OS?

I think Java does not make differences there. It's running on 32bit CentOS 5.3 here.

wroot KeyContributor
wroot
4,930 posts since
Jan 24, 2005
Currently Being Moderated
Apr 15, 2009 3:00 AM in response to: Coolcat
Re: Possible to change another user's password

I thought so So i will replace it in my server today and will check my second question.

Daryl Herzmann KeyContributor
Daryl Herzmann
784 posts since
Mar 12, 2005
Currently Being Moderated
Apr 15, 2009 4:32 AM in response to: wroot
Re: Possible to change another user's password

Good point, JM-1532

Daryl Herzmann KeyContributor
Daryl Herzmann
784 posts since
Mar 12, 2005
Currently Being Moderated
Apr 15, 2009 4:14 AM in response to: wroot
Re: Possible to change another user's password

Hi,

 

I did not write the patch.  Yes, I let gato and matt know.  They confirmed that it would be fixed asap.

 

daryl

wroot KeyContributor
wroot
4,930 posts since
Jan 24, 2005
Currently Being Moderated
Apr 29, 2009 5:25 AM in response to: Daryl Herzmann
Re: Possible to change another user's password
They confirmed that it would be fixed asap.

 

So, i was right to apply the community patch. Jive's "asap" can take ages..

Darian Anthony Patrick Bronze
Darian Anthony Patrick
13 posts since
Dec 6, 2006
Currently Being Moderated
Apr 14, 2009 7:01 PM in response to: erikhh
Re: Possible to change another user's password

Nice work Erik.  Thanks for reporting this.  Jive people, how soon can we expect to see an official release?

More Like This

  • Retrieving data ...

Incoming Links

Bookmarked By (0)