Open Archive 1.0.5 for Openfire 3.6.2 released

I’ve updated Open Archive for the latest version of Openfire and fixed a few bugs. Dele is about to add support for it to the Red5 SparkWeb client.

Open Archive is a XEP-0136 compliant server side message archive for Openfire.
It is available as a plugin from here.

To install the plugin just rename the jar to archive.jar, place it into the plugins folder of your Openfire server and enable it in the Openfire console at Server Settings/Archive Settings.

For those interested in the source code have a look at its development site.


Dele has published an updated version of the Red5 plugin that makes use of Open Archive. You can download it from

Openfire Server Multiple Vulnerabilities

Andreas Kurtz has published a security advisory regarding multiple critical security vulnerabilities in Openfire‘s admin console. There is also a posting to full-disclosure.
The issues allow a remote attacker to circumvent authentication and run arbitray code with the permissions of the user running Openfire. It affacts all versions up to and including 3.6.0a.

Andreas claims to have notified the vendor Jive Software six months ago. Up to now no security advisory has been issued by Jive and no patch has been published. I am really interested to hear Jive’s version of this story. If it is true that Jive was aware of the issues for so long and no action has been taken to inform the community or to fix the problem this will probably result in a loss of trust in Openfire’s development model.

For now the only solution is to limit access to the admin console by firewall rules. With regard to security issues in the admin console in the past this is recommended anyway. The XMPP interface is not accected by the vulnerabilities discovered by Andreas.

Update 2008-11-14

Openfire 3.6.1 has been released that fixes the security issues.


Book: Openfire Administration

Packt has released a new book on Openfire a Java based Instant Messaging server.
Openfire Administration by Mayank Sharma is a step-by-step guide for everybody who wants to setup an internal IM server for private or corporate use. It walks you through the whole installation and configuration process including integration with external authentication sources like OpenLDAP and Active Directory and covers a bunch of useful plugins.

In contrast to other similar products Openfire is based on open standards as it uses the same XMPP protocol that is also used by Google Talk and Apple’s iChat. Openfire is available under the GNU General Public License so there are no license fees and it’s maintained by a vibrant community. There are a lot of free and commercial clients that you can use to connect to Openfire like Spark and the Flash based SparkWeb, Psi, iChat and many more.
Additional free plugins are available that cover a wide range of requirements like connection to other IM networks like MSN, ICQ/AIM and Yahoo!, server side archiving for compliance and integration with the Asterisk PBX.

If you are new to running IM infrastructure and interested in setting up a proven enterprise ready solution Mayank’s book is for you and will provide you with the information required to install and run a professional IM solution.


Openfire Enterprise is becoming Open Source

The enterprise edition of the popular Java-based XMPP server Openfire is becoming Open Source. This also includes the Flex-based IM client Sparkweb.

As Matt points out the the clustering functionality in the enterprise edition will not be made Open Source: “Part of the reason for this is that it uses a third-party commercial library for clustering.”
Nevertheless, due to the moduluar design of Openfire, the use of Coherence can quite easily be substituted by a free alternative like Terracotta.

This is really great news. Thanks to Jive for their commitment to the community.

Update 2008-04-07

Dombiak Gaston has followed up with a roadmap describing the two phases of the transition. The first phase with the majority of features is scheduled be finished by April, 27th.

Adding Presence to Your Website

You might have noticed the small green, yellow or gray icon next to my name in the about section on the right. It shows my XMPP status and my status message. This is done by including a small JavaScript snippet in the template of my blog:

<script type="text/javascript" 

The presence.js script is in fact a PHP script that retrieves the XMPP presence from the presence plugin of my Openfire server:

ini_set('display_errors', false);

$uid = $_GET['uid'];
if (! preg_match('/^[A-Za-z0-9_\.-]+$/', $uid))
        echo "document.write('Invalid uid parameter.');";
if (isset($_GET['nick']))
        $nick = $_GET['nick'];
        $nick = $uid;
if (! preg_match('/^[A-Za-z0-9_\. -]+$/', $nick))
        echo "document.write('Invalid nick parameter.');";
$imgtag = "<img src=\"/status/".$uid."\"/>";
$url = "http://openfire:9090/plugins/presence/status?jid="
$text = rtrim(implode(file($url, FILE_SKIP_EMPTY_LINES)));
$text = str_replace("\n","",nl2br(htmlspecialchars($text)));
document.write('<table class="xmpp-status"><tbody>');
document.write('<tr valign="center">');
document.write('<td><?php print $imgtag; ?></td>');
document.write('<td><?php print $nick; ?></td>');
<?php if ($text != 'null') { ?>
document.write('<td> </td>');
document.write('<td><?php print $text; ?></td>');
<?php } ?>


Updates for Openfire 3.4.1

A few days ago Openfire 3.4.1 has been released.

More than 30 new features and more than 30 bugs were fixed. Personal Eventing via Pubsub was added so you can now publish your geo-location, music you are listening to and let subscribers be alerted. From the admin console you can manage users roster. Moreover, it is now possible to retrieve photos from LDAP and use them as users avatars. The complete set of changes can be found here. Openfire 3.4.1 is available for download from ignite realtime.

The new version includes a few incompatible changes to the API so I have released new versions of the plugins that I maintain:

Open Archive and the plugins are released under the terms of the GPL.

User Status Plugin for Openfire

The User Status Plugin is a small plugin for Openfire 3.3.2 to save the user status to the Openfire database.

Use the plugin if you need easy access to the data from other applications or scripts that can access your Openfire database.

The plugin automatically saves the last status (presence, IP address, logon and logoff time) per user and resource to userStatus table in the Openfire database.

Optionally you can archive user status entries (IP address, logon and logoff time) for a specified time. History entries are stored in the userStatusHistory table. The settings for history archiving can be configured on the “User Status Settings” page that you’ll find on the “Server” tab of the Openfire Admin Console.

Development of the plugin has been sponsored by Restomax.
It is available under GPL for download.

Note: Rename the plugin to user-status.jar before deploying it to the plugin folder of Openfire.

Open Archive 1.0.1 for Openfire 3.3.2 released

Open Archive is a XEP-0136 compliant server side message archive for Openfire.
It is available as a plugin from here.

Currently it supports automated message archiving and message retrieval through XEP-0136 compliant Jabber clients and a web UI for the administrator. Support for manual archiving and preferences is planned for future releases.

Version 1.0.1 requires either MySQL or the embedded HSQLDB, support for other databases might be added at a later point.

To install the plugin just rename the jar to archive.jar, place it into the plugins folder of your Openfire server and enable it in the Openfire console at Server Settings/Archive Settings.

For those interested in the source code have a look at its development site.

Update June 27, 2007:

Now we also have some screenshots available:

Archive Settings
Archive Settings

Search Archive (Web UI)
Search Archive (Web UI)

Openfire 3.3.1 fixes critical Security Issue

Ignite Realtime has released Openfire 3.3.1 which fixes a critical security issue in all versions prior to 3.3.1. I had reported the issue last week, so thanks to the Openfire guys for the quick fix.

The security issue allows malicious people to remotely upload code to Openfire via the built-in admin console. The code is executed with the permissions of the user running Openfire. It is highly recommended that users upgrade their server instances to fix this security issue.

As a workaround access to the admin console port (9090 by default) can be limited via firewall rules.

The full changelog is available here.

Update June 27, 2007:

Now over a month later that users had enough time to upgrade I can release a few more details about the issue:

Basically the problem was a missing filter mapping in web.xml which caused the beans used to install plugins which are exposed through DWR to be available without authentication.

Openfire Plugin Management

So you could easily open http://somehost:9090/dwr/test/downloader and upload a malicious plugin that would run with the privileges of Openfire and with full access to the Openfire database.

References: Secunia Advisory: SA25427, CVE-2007-2975,