Gentoo Websites Logo
Go to: Gentoo Home Documentation Forums Lists Bugs Planet Store Wiki Get Gentoo!
Bug 246008 - net-im/openfire <= 3.6.0a multiple vulnerabilities (CVE-2008-{6508,6509,6510,6511})
Summary: net-im/openfire <= 3.6.0a multiple vulnerabilities (CVE-2008-{6508,6509,6510,...
Alias: None
Product: Gentoo Security
Classification: Unclassified
Component: Vulnerabilities (show other bugs)
Hardware: All Linux
: High major (vote)
Assignee: Gentoo Security
Whiteboard: B1 [glsa]
Depends on:
Reported: 2008-11-07 21:28 UTC by stupendoussteve
Modified: 2009-04-02 21:00 UTC (History)
3 users (show)

See Also:
Package list:
Runtime testing required: ---


Note You need to log in before you can comment on or make changes to this bug.
Description stupendoussteve 2008-11-07 21:28:18 UTC
As disclosed by Andreas Kurtz:

Openfire Server <= 3.6.0a contains multiple remotely exploitable vulnerabilities:

1) Authentication bypass
This vulnerability provides an attacker full access to all functions 
in the admin webinterface without providing any user credentials.
The Tomcat filter which is responsible for authentication could be 
completely circumvented.

2) SQL injection
It is possible to pass SQL statements to the backend database through 
a SQL injection vulnerability. Depending on the particular 
runtime environment and database permissions it is even possible to 
write files to disk and execute code on operating system level.

3) Multiple Cross-Site Scripting 
Permits arbitrary insertion of HTML- and JavaScript code in login.jsp.
An attacker could also manipulate a parameter to specify 
a destination to which a user will be forwarded to after successful 
Comment 1 Christian Hoffmann (RETIRED) gentoo-dev 2008-11-07 22:11:46 UTC
Advisory says that there is no information about a patch and upstream has apparently been unresponsive. Homepage has no information either...

Might be a candidate for at least temporary masking?
Comment 2 Alessio Cassibba (X-Drum) 2008-11-12 19:14:44 UTC
a ticket regarding this issue was opened on Jive's ticketing system[1],
but still no replies from upstream.

Comment 3 Markus Ullmann (RETIRED) gentoo-dev 2008-11-15 16:06:24 UTC
3.6.1 added to CVS
Comment 4 Stefan Behte (RETIRED) gentoo-dev Security 2008-11-15 16:25:28 UTC
Arches, please test and mark stable.
Package '=net-im/openfire-3.6.1'
Target keywords = amd64 x86
Comment 5 Markus Meier gentoo-dev 2008-11-16 18:00:17 UTC
amd64/x86 stable, all arches done.
Comment 6 Stefan Behte (RETIRED) gentoo-dev Security 2009-01-05 22:37:05 UTC
Sorry, there has no glsa been filed yet.
Comment 7 Stefan Behte (RETIRED) gentoo-dev Security 2009-01-11 19:21:32 UTC
Sorry for the delay, request filed.
Comment 8 Alex Legler (RETIRED) archtester gentoo-dev Security 2009-03-23 22:02:26 UTC
CVE-2008-6508 (
  Directory traversal vulnerability in the AuthCheck filter in the
  Admin Console in Openfire 3.6.0a and earlier allows remote attackers
  to bypass authentication and access the admin interface via a .. (dot
  dot) in a URI that matches the Exclude-Strings list, as demonstrated
  by a /setup/setup-/.. sequence in a URI.

CVE-2008-6509 (
  SQL injection vulnerability in CallLogDAO in SIP Plugin in Openfire
  3.6.0a and earlier allows remote attackers to execute arbitrary SQL
  commands via the type parameter to sipark-log-summary.jsp.

CVE-2008-6510 (
  Cross-site scripting (XSS) vulnerability in login.jsp in the Admin
  Console in Openfire 3.6.0a and earlier allows remote attackers to
  inject arbitrary web script or HTML via the url parameter.

CVE-2008-6511 (
  Open redirect vulnerability in login.jsp in Openfire 3.6.0a and
  earlier allows remote attackers to redirect users to arbitrary web
  sites and conduct phishing attacks via the url parameter.

Comment 9 Pierre-Yves Rofes (RETIRED) gentoo-dev 2009-04-02 21:00:18 UTC
GLSA 200904-01, sorry for the delay.