Open redirect vulnerability in login.jsp in Openfire 3.6.0a and earlier allows remote attackers to redirect users to arbitrary web sites and conduct phishing attacks via the url parameter.
https://www.exploit-db.com/exploits/7075
http://www.securityfocus.com/archive/1/498162/100/0/threaded