Ignite Realtime has released Openfire 3.3.1 which fixes a critical security issue in all versions prior to 3.3.1. I had reported the issue last week, so thanks to the Openfire guys for the quick fix.

The security issue allows malicious people to remotely upload code to Openfire via the built-in admin console. The code is executed with the permissions of the user running Openfire. It is highly recommended that users upgrade their server instances to fix this security issue.

As a workaround access to the admin console port (9090 by default) can be limited via firewall rules.

The full changelog is available here.

Update June 27, 2007:

Now over a month later that users had enough time to upgrade I can release a few more details about the issue:

Basically the problem was a missing filter mapping in web.xml which caused the beans used to install plugins which are exposed through DWR to be available without authentication.

So you could easily open http://somehost:9090/dwr/test/downloader and upload a malicious plugin that would run with the privileges of Openfire and with full access to the Openfire database.

References: Secunia Advisory: SA25427, CVE-2007-2975,
JM-1049