Openwall Project   /home  Owl  JtR  Pro  crypt  pam_passwdqc  tcb  phpass  scanlogd  popa3d  msulogin  /  Linux  BIND  /  advisories  presentations  /  services  donations  /  wordlists  passwords  /  news  community  lists  wiki  CVSweb  mirrors  signatures
bringing security into open environments
 
Password Recovery Resources on the Net
[<prev] [next>] [thread-next>] [month] [year] [list] 
Date: Sat, 21 Mar 2009 11:18:10 +0100
From: Matti Bickel <mabi@...too.org>
To: oss-security@...ts.openwall.com
Subject: CVE request - openfire

Hi,

   these are old issues, but could we get a CVE identifier for them,
   anyway?

   All issues are from this advisory:
    http://www.andreas-kurtz.de/advisories/AKADV2008-001-v1.0.txt

   (1) Authentication Bypass using a special URL (possible remote code
       execution)
   Fixed in 3.6.1
   References:
    http://www.igniterealtime.org/issues/browse/JM-1489

   (2) XSS in login.jsp (possible session hijacking)
   Fixed in 3.6.0
   References:
    http://www.igniterealtime.org/issues/browse/JM-629

   (3) SQL injection in sip plugin
   Fixed in 3.6.1
   References:
    http://www.igniterealtime.org/issues/browse/JM-1488

Thanks,
  Matti
-- 
Encrypted/Signed Email preferred

[ CONTENT OF TYPE application/pgp-signature SKIPPED ]

Please check out the Open Source Software Security Wiki, which is counterpart to this mailing list.

Hosted by DataForce ISP - Powered by Openwall GNU/*/Linux