Issue Details (XML | Word | Printable)

Key: JM-1049
Type: Bug Bug
Status: Closed Closed
Resolution: Fixed
Priority: Critical Critical
Assignee: Gaston Dombiak
Reporter: Derek DeMoro
Votes: 0
Watchers: 0
Operations

If you were logged in you would be able to see more operations.
Openfire (ARCHIVED)

Security fix

Created: 05/03/07 01:22 AM   Updated: 05/26/08 10:44 PM
Component/s: Core
Affects Version/s: 3.3.0
Fix Version/s: 3.3.1

Time Tracking:
Not Specified

Resolution Date: 05/11/07 12:42 AM
Acceptance Test - Add?: No


 Description  « Hide
A security issue has been reported that allows malicious users to remotely upload code to Openfire via the built-in admin console. Although there is no known exploit "in the wild", it's highly recommended that users upgrade their server instances to fix this security issue.

Affects: All previous releases of Openfire, at least through Openfire 3.0.0

Workaround: the security issue can be worked around in previous versions of Openfire by limiting access to the admin console port (9090 by default) via firewall rules.

 All   Comments   Work Log   Change History   FishEye      Sort Order: Ascending order - Click to sort in descending order
8157 by  Derek DeMoro (1 file)
05/02/07 11:23 PM (32 months, 21 days ago)
JM-1049 - Fix small security issue.
openfire/trunk/src/web/WEB-INF/web.xml 8157 history download (+1 -5) diffs

Derek DeMoro made changes - 05/03/07 01:24 AM
Field Original Value New Value
Status Open [ 1 ] Closed [ 6 ]
Resolution Fixed [ 1 ]
8160 by  Derek DeMoro (1 file)
05/03/07 04:47 AM (32 months, 21 days ago)
JM-1049 - Fix small security issue.
openfire/trunk/src/web/WEB-INF/web.xml 8160 history download (+10 -3) diffs

Matt Tucker made changes - 05/11/07 12:37 AM
Resolution Fixed [ 1 ]
Status Closed [ 6 ] Reopened [ 4 ]
Matt Tucker made changes - 05/11/07 12:41 AM
Summary Small security fix. Security fix
Priority Major [ 3 ] Critical [ 2 ]
Description Need to fix small security issue. A security issue has been reported that allows malicious users to remotely upload code to Openfire via the built-in admin console. Although there is no known exploit "in the wild", it's highly recommended that users upgrade their server instances to fix this security issue.

Affects: All previous releases of Openfire, at least through Openfire 3.0.0

Workaround: the security issue can be worked around in previous versions of Openfire by limiting access to the admin console port (9090 by default) via firewall rules.
Matt Tucker made changes - 05/11/07 12:42 AM
Resolution Fixed [ 1 ]
Status Reopened [ 4 ] Closed [ 6 ]


Powered by a free Atlassian JIRA open source license for igniterealtime.org. Try JIRA - bug tracking software for your team.
Atlassian JIRA the Professional Issue Tracker. (Enterprise Edition, Version: 3.13.4-#354) - Bug/feature request - Atlassian news - Contact Administrators