As disclosed by Andreas Kurtz:
Openfire Server <= 3.6.0a contains multiple remotely exploitable vulnerabilities:
1) Authentication bypass
This vulnerability provides an attacker full access to all functions
in the admin webinterface without providing any user credentials.
The Tomcat filter which is responsible for authentication could be
2) SQL injection
It is possible to pass SQL statements to the backend database through
a SQL injection vulnerability. Depending on the particular
runtime environment and database permissions it is even possible to
write files to disk and execute code on operating system level.
3) Multiple Cross-Site Scripting
An attacker could also manipulate a parameter to specify
a destination to which a user will be forwarded to after successful
Advisory says that there is no information about a patch and upstream has apparently been unresponsive. Homepage has no information either...
Might be a candidate for at least temporary masking?
a ticket regarding this issue was opened on Jive's ticketing system,
but still no replies from upstream.
3.6.1 added to CVS
Arches, please test and mark stable.
Target keywords = amd64 x86
amd64/x86 stable, all arches done.
Sorry, there has no glsa been filed yet.
Sorry for the delay, request filed.
Directory traversal vulnerability in the AuthCheck filter in the
Admin Console in Openfire 3.6.0a and earlier allows remote attackers
to bypass authentication and access the admin interface via a .. (dot
dot) in a URI that matches the Exclude-Strings list, as demonstrated
by a /setup/setup-/.. sequence in a URI.
SQL injection vulnerability in CallLogDAO in SIP Plugin in Openfire
3.6.0a and earlier allows remote attackers to execute arbitrary SQL
commands via the type parameter to sipark-log-summary.jsp.
Cross-site scripting (XSS) vulnerability in login.jsp in the Admin
Console in Openfire 3.6.0a and earlier allows remote attackers to
inject arbitrary web script or HTML via the url parameter.
Open redirect vulnerability in login.jsp in Openfire 3.6.0a and
earlier allows remote attackers to redirect users to arbitrary web
sites and conduct phishing attacks via the url parameter.
GLSA 200904-01, sorry for the delay.