Possible to change another user's password

Hi,

We’ve run into a very serious security issue with openfire. If a user sends an iq:auth request to change his/her password openfire doesn’t verify if the given username belongs to the user sending the request. In other words if user A sends a request to change the password of user B openfire will happily do so.

Reproducing this problem is quite easy.

  • Start an Openfire server

  • Create two user accounts test1 and test2

  • Start Spark with the debug window enabled and log in with the user test1.

  • In the debug window go to the ad-hoc message tab and typ in this stanza

test2 newillegalychangedpassword
  • Openfire wil respond with:

And even worse the test2 user can now only log in with the password “newillegalychangedpassword”.

It’s not hard to fix. If you want, I can sent you a patch.

Cheers,

Erik

Hi Erik,

Thanks for reporting this, please send a patch.

daryl

Here is the patch to fix this issue
IQAuthHandler_Patch.txt (2005 Bytes)

http://www.igniterealtime.org/issues/browse/JM-1531

Sweet,

You can use this to set the admin user’s password on the server and then log in on the console.

daryl

Sweet,

You can even change the password when the server is setup to not allow password changes.

daryl

Hi,

here is openfire trunk with the patch above applied binary:

[delete]

No need for this with 3.6.4 out the door

daryl

Message was edited by: Daryl Herzmann

@Daryl Herzmann: Thank for your custom build. Works for me.

Nice work Erik. Thanks for reporting this. Jive people, how soon can we expect to see an official release?

Daryl, your patch is only for a 64-bit OS?

I think somebody has already PMed this to Gato/Matt?

Btw, is this patch fixing the other issue, that Openfire is not obeying the option to not let users to change their passwords? Or should we file another ticket for that?

Daryl, your patch is only for a 64-bit OS?
I think Java does not make differences there. It’s running on 32bit CentOS 5.3 here.

I thought so So i will replace it in my server today and will check my second question.

Hi,

I did not write the patch. Yes, I let gato and matt know. They confirmed that it would be fixed asap.

daryl

Good point, JM-1532

They confirmed that it would be fixed asap.

So, i was right to apply the community patch. Jive’s “asap” can take ages…