We’ve run into a very serious security issue with openfire. If a user sends an iq:auth request to change his/her password openfire doesn’t verify if the given username belongs to the user sending the request. In other words if user A sends a request to change the password of user B openfire will happily do so.
Reproducing this problem is quite easy.
Start an Openfire server
Create two user accounts test1 and test2
Start Spark with the debug window enabled and log in with the user test1.
In the debug window go to the ad-hoc message tab and typ in this stanza
test2
newillegalychangedpassword
Openfire wil respond with:
And even worse the test2 user can now only log in with the password “newillegalychangedpassword”.
It’s not hard to fix. If you want, I can sent you a patch.
Btw, is this patch fixing the other issue, that Openfire is not obeying the option to not let users to change their passwords? Or should we file another ticket for that?