Lucene search
K
Database
Vendors
Products
Years
CVSS
Scanner
Agent Scanning
API Scanning
Manual Audit
Perimeter Scanner
Scanning
Projects
Email
Webhook
Plugins
Resources
Documents
Blog
Glossary
FAQ
Pricing
Contacts
About Us
Partners
Branding Guideline
securityvulnsSecurityvulnsSECURITYVULNS:DOC:21584
HistoryApr 07, 2009 - 12:00 a.m.

[ GLSA 200904-01 ] Openfire: Multiple vulnerabilities

2009-04-0700:00:00
vulners.com
27
JSON

Gentoo Linux Security Advisory GLSA 200904-01

                                        http://security.gentoo.org/

Severity: Normal
Title: Openfire: Multiple vulnerabilities
Date: April 02, 2009
Bugs: #246008, #254309
ID: 200904-01

Synopsis

Multiple vulnerabilities were discovered in Openfire, the worst of
which may allow remote execution of arbitrary code.

Background

Ignite Realtime Openfire is a fast real-time collaboration server.

Affected packages

-------------------------------------------------------------------
 Package          /  Vulnerable  /                      Unaffected
-------------------------------------------------------------------

1 net-im/openfire < 3.6.3 >= 3.6.3

Description

Two vulnerabilities have been reported by Federico Muttis, from CORE
IMPACT's Exploit Writing Team:

  • Multiple missing or incomplete input validations in several .jsps
    (CVE-2009-0496).

  • Incorrect input validation of the "log" parameter in log.jsp
    (CVE-2009-0497).

Multiple vulnerabilities have been reported by Andreas Kurtz:

  • Erroneous built-in exceptions to input validation in login.jsp
    (CVE-2008-6508).

  • Unsanitized user input to the "type" parameter in
    sipark-log-summary.jsp used in SQL statement. (CVE-2008-6509)

  • A Cross-Site-Scripting vulnerability due to unsanitized input to
    the "url" parameter. (CVE-2008-6510, CVE-2008-6511)

Impact

A remote attacker could execute arbitrary code on clients' systems by
uploading a specially crafted plugin, bypassing authentication.
Additionally, an attacker could read arbitrary files on the server or
execute arbitrary SQL statements. Depending on the server's
configuration the attacker might also execute code on the server via an
SQL injection.

Workaround

There is no known workaround at this time.

Resolution

All Openfire users should upgrade to the latest version:

# emerge --sync
# emerge --ask --oneshot --verbose &quot;&gt;=net-im/openfire-3.6.3&quot;

References

[ 1 ] CVE-2008-6508
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2008-6508
[ 2 ] CVE-2008-6509
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2008-6509
[ 3 ] CVE-2008-6510
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2008-6510
[ 4 ] CVE-2008-6511
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2008-6511
[ 5 ] CVE-2009-0496
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2009-0496
[ 6 ] CVE-2009-0497
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2009-0497

Availability

This GLSA and any updates to it are available for viewing at
the Gentoo Security Website:

http://security.gentoo.org/glsa/glsa-200904-01.xml

Concerns?

Security is a primary focus of Gentoo Linux and ensuring the
confidentiality and security of our users machines is of utmost
importance to us. Any security concerns should be addressed to
[email protected] or alternatively, you may file a bug at
http://bugs.gentoo.org.

License

Copyright 2009 Gentoo Foundation, Inc; referenced text
belongs to its owner(s).

The contents of this document are licensed under the
Creative Commons - Attribution / Share Alike license.

http://creativecommons.org/licenses/by-sa/2.5

Related

nessus 5
openvas 11
securityvulns 1
gentoo 1
freebsd 2
checkpoint_advisories 2
prion 6
cve 6
seebug 1
packetstorm 1
exploitdb 1
attackerkb 1
nessus
nessus
GLSA-200904-01 : Openfire: Multiple vulnerabilities
2009-04-03 00:00:00
FreeBSD : openfire -- multiple vulnerabilities (937adf01-b64a-11dd-a55e-00163e000016)
2008-11-21 00:00:00
Openfire < 3.6.3 Multiple Vulnerabilities
2009-02-09 00:00:00
openvas
openvas
Gentoo Security Advisory GLSA 200904-01 (openfire)
2009-04-06 00:00:00
Gentoo Security Advisory GLSA 200904-01 (openfire)
2009-04-06 00:00:00
Openfire Multiple Vulnerabilities (Mar09)
2009-03-26 00:00:00
securityvulns
securityvulns
Daily web applications security vulnerabilities summary &#40;PHP, ASP, JSP, CGI, Perl&#41;
2009-04-07 00:00:00
gentoo
gentoo
Openfire: Multiple vulnerabilities
2009-04-02 00:00:00
freebsd
freebsd
openfire -- multiple vulnerabilities
2008-11-07 00:00:00
openfire -- multiple vulnerabilities
2009-01-08 00:00:00
checkpoint_advisories
checkpoint_advisories
Jive Software Openfire Jabber Server SQL Injection (CVE-2008-6509)
2009-10-13 00:00:00
Jive Software Openfire Jabber Server Authentication Bypass (CVE-2008-6508)
2009-12-02 00:00:00
prion
prion
Cross site scripting
2009-03-23 20:00:00
Cross site scripting
2009-02-10 01:30:00
Directory traversal
2009-02-10 01:30:00
cve
cve
CVE-2008-6510
2009-03-23 20:00:00
CVE-2009-0496
2009-02-10 01:30:00
CVE-2008-6509
2009-03-23 20:00:00
seebug
seebug
Openfire <= 3.6.0a Admin Console Authentication Bypass
2014-07-01 00:00:00
packetstorm
packetstorm
Openfire Admin Console Authentication Bypass
2012-06-29 00:00:00
exploitdb
exploitdb
Openfire Server 3.6.0a - Admin Console Authentication Bypass (Metasploit)
2012-06-28 00:00:00
attackerkb
attackerkb
CVE-2023-32315
2023-05-26 00:00:00
JSON
Related for SECURITYVULNS:DOC:21584
nessus5openvas11securityvulns1gentoo1freebsd2checkpoint_advisories2prion6cve6seebug1packetstorm1exploitdb1attackerkb1