FreeBSD VuXML: Documenting security issues in FreeBSD and the FreeBSD Ports Collection

openfire -- Openfire No Password Changes Security Bypass

Affected packages
openfire < 3.6.4

Details

VuXML ID e3e30d99-58a8-4a3f-8059-a8b7cd59b881
Discovery 2009-05-04
Entry 2009-05-04
Modified 2010-05-02

Secunia reports:

A vulnerability has been reported in Openfire which can be exploited by malicious users to bypass certain security restrictions. The vulnerability is caused due to Openfire not properly respecting the no password changes setting which can be exploited to change passwords by sending jabber:iq:auth passwd_change requests to the server.

References

CVE Name CVE-2009-1596
URL http://secunia.com/advisories/34984/
URL http://www.igniterealtime.org/community/message/190288#190288
URL http://www.igniterealtime.org/issues/browse/JM-1532