Openfire 3.10.2 CSRF Vulnerability (CVE-2015-6973)

Openfire 3.10.2 CSRF Vulnerability (CVE-2015-6973)
Openfire 3.10.2 CSRF Vulnerability (CVE-2015-6973)

Release date:
Updated on:

Affected Systems:

Openfiler Openfiler 3.10.2

Description:

CVE (CAN) ID: CVE-2015-6973

Openfire is a real-time Collaboration Server authorized by Open Source Apache License.

Ignite Realtime Openfire 3.10.2 has multiple cross-site Request Forgery vulnerabilities that remote attackers can exploit to hijack administrator authentication requests and then update the password by sending a constructed request to the user-password.jsp, send a constructor request to the user-create.jsp to add users, send constructor requests to the server-props.jsp to edit server settings or disable server SSL, send constructor requests to the plugins/clientcontrol/permitted-clients.jsp, and add clients.

<* Source: hyp3rlinx

Link: http://www.securityfocus.com/archive/1/archive/1/536470/100/0/threaded
*>

Suggestion:

Vendor patch:

Openfiler
---------
Currently, the vendor does not provide patches or upgrade programs. We recommend that users who use the software follow the vendor's homepage to obtain the latest version:

Http://www.openfiler.com/

-------------------------------------- Split line --------------------------------------

Detailed installation process of Openfire in CentOS

Openfire server configuration notes based on Jabber/XMPP protocol in CentOS 5.4

Install Openfire on Ubuntu 12.04

Openfire solves Chinese garbled characters After MySQL database is used

Load Balancing for Openfire clusters using Nginx

-------------------------------------- Split line --------------------------------------

This article permanently updates the link address: