The jabber:iq:auth implementation in IQAuthHandler.java in Ignite Realtime Openfire before 3.6.4 allows remote authenticated users to change the passwords of arbitrary accounts via a modified username element in a passwd_change action.

The remote host is affected by the vulnerability described in GLSA-201406-35 (Openfire: Multiple vulnerabilities)

    Multiple vulnerabilities have been discovered in Openfire. Please review       the CVE identifiers referenced below for details.
  Impact :

    A remote attacker could possibly cause a Denial of Service condition or       bypass security restrictions.
  Workaround :

    There is no known workaround at this time.

The remote host is running Openfire / Wildfire, an instant messaging server supporting the XMPP protocol.

According to its version, the installation of Openfire or Wildfire fails to verify the owner of the account before changing the password for the account in response to an 'iq:auth' request. An authenticated attacker can exploit this vulnerability to change the passwords for arbitrary Openfire / Wildfire user accounts.

Andreas Kurtz reports :

The jabber server Openfire (<= version 3.6.0a) contains several serious vulnerabilities. Depending on the particular runtime environment these issues can potentially even be used by an attacker to execute code on operating system level.

- Authentication bypass - This vulnerability provides an attacker full access to all functions in the admin webinterface without providing any user credentials. The Tomcat filter which is responsible for authentication could be completely circumvented.

- SQL injection - It is possible to pass SQL statements to the backend database through a SQL injection vulnerability. Depending on the particular runtime environment and database permissions it is even possible to write files to disk and execute code on operating system level.

- Multiple Cross-Site Scripting - Permits arbitrary insertion of HTML- and JavaScript code in login.jsp. An attacker could also manipulate a parameter to specify a destination to which a user will be forwarded to after successful authentication.

The remote host is running Openfire / Wildfire, an instant messaging server supporting the XMPP protocol.  According to its version, the installation of Openfire or Wildfire is affected by a vulnerability which would allow a remote attacker to change the password of any users.  In particular, input sent to the 'passwd_change' parameter of the jabber: iq: auth routine is not sufficiently sanitized.  An attacker, exploiting this flaw, would be able to gain access to any user account.

ID	Name	Product	Family	Severity
76330	GLSA-201406-35 : Openfire: Multiple vulnerabilities	Nessus	Gentoo Local Security Checks	high
38688	Openfire < 3.6.4 jabber:iq:auth Crafted password_change Request Password Manipulation	Nessus	CGI abuses	medium
34839	FreeBSD : openfire -- multiple vulnerabilities (937adf01-b64a-11dd-a55e-00163e000016)	Nessus	FreeBSD Local Security Checks	high
5018	Openfire < 3.6.4 Arbitrary Password Manipulation	Nessus Network Monitor	CGI	medium

Detections

Analytics

CVE-2009-1595

high

Tenable Plugins

high

medium

high

medium