CVE-2008-6508

Name of the Vulnerable Software and Affected Versions Openfire versions 3.6.0a and earlier

Description A directory traversal issue in the AuthCheck filter of the Admin Console allows remote attackers to bypass authentication and access the admin interface by including a .. (dot dot) in a URI. This can be achieved by crafting a specific URI sequence, such as /setup/setup-/.., which matches the Exclude-Strings list.

Recommendations For Openfire versions 3.6.0a and earlier, consider restricting access to the Admin Console until a fix is available. As a temporary workaround, disabling the AuthCheck filter may prevent exploitation, but this should be done with caution as it may have unintended consequences on the security of the Admin Console. At the moment, there is no information about a newer version that contains a fix for this vulnerability.