As disclosed by Andreas Kurtz: Ref: http://www.andreas-kurtz.de/archives/63 Openfire Server <= 3.6.0a contains multiple remotely exploitable vulnerabilities: 1) Authentication bypass This vulnerability provides an attacker full access to all functions in the admin webinterface without providing any user credentials. The Tomcat filter which is responsible for authentication could be completely circumvented. 2) SQL injection It is possible to pass SQL statements to the backend database through a SQL injection vulnerability. Depending on the particular runtime environment and database permissions it is even possible to write files to disk and execute code on operating system level. 3) Multiple Cross-Site Scripting Permits arbitrary insertion of HTML- and JavaScript code in login.jsp. An attacker could also manipulate a parameter to specify a destination to which a user will be forwarded to after successful authentication.
Thanks. Advisory says that there is no information about a patch and upstream has apparently been unresponsive. Homepage has no information either... Might be a candidate for at least temporary masking?
a ticket regarding this issue was opened on Jive's ticketing system[1], but still no replies from upstream. [1] http://www.igniterealtime.org/issues/browse/JM-1489
3.6.1 added to CVS
Arches, please test and mark stable. Package '=net-im/openfire-3.6.1' Target keywords = amd64 x86
amd64/x86 stable, all arches done.
Sorry, there has no glsa been filed yet.
Sorry for the delay, request filed.
CVE-2008-6508 (http://nvd.nist.gov/nvd.cfm?cvename=CVE-2008-6508): Directory traversal vulnerability in the AuthCheck filter in the Admin Console in Openfire 3.6.0a and earlier allows remote attackers to bypass authentication and access the admin interface via a .. (dot dot) in a URI that matches the Exclude-Strings list, as demonstrated by a /setup/setup-/.. sequence in a URI. CVE-2008-6509 (http://nvd.nist.gov/nvd.cfm?cvename=CVE-2008-6509): SQL injection vulnerability in CallLogDAO in SIP Plugin in Openfire 3.6.0a and earlier allows remote attackers to execute arbitrary SQL commands via the type parameter to sipark-log-summary.jsp. CVE-2008-6510 (http://nvd.nist.gov/nvd.cfm?cvename=CVE-2008-6510): Cross-site scripting (XSS) vulnerability in login.jsp in the Admin Console in Openfire 3.6.0a and earlier allows remote attackers to inject arbitrary web script or HTML via the url parameter. CVE-2008-6511 (http://nvd.nist.gov/nvd.cfm?cvename=CVE-2008-6511): Open redirect vulnerability in login.jsp in Openfire 3.6.0a and earlier allows remote attackers to redirect users to arbitrary web sites and conduct phishing attacks via the url parameter.
GLSA 200904-01, sorry for the delay.
