CVE-2008-6508
Igniterealtime Openfire < 3.6.0a - Path Traversal
Title source: ruleDescription
Directory traversal vulnerability in the AuthCheck filter in the Admin Console in Openfire 3.6.0a and earlier allows remote attackers to bypass authentication and access the admin interface via a .. (dot dot) in a URI that matches the Exclude-Strings list, as demonstrated by a /setup/setup-/.. sequence in a URI.
Exploits (3)
exploitdb
WORKING POC
VERIFIED
by Metasploit · rubywebappsjsp
https://www.exploit-db.com/exploits/19432
exploitdb
WRITEUP
VERIFIED
by Andreas Kurtz · textwebappsjsp
https://www.exploit-db.com/exploits/7075
metasploit
WORKING POC
EXCELLENT
by Andreas Kurtz, h0ng10 · rubypocjava
https://github.com/rapid7/metasploit-framework/blob/master/modules/exploits/multi/http/openfire_auth_bypass.rb
References (11)
Scores
EPSS
0.7714
EPSS Percentile
99.0%
Details
CWE
CWE-22
Status
published
Products (25)
igniterealtime/openfire
2.6.0
igniterealtime/openfire
2.6.1
igniterealtime/openfire
2.6.2
igniterealtime/openfire
3.0.0
igniterealtime/openfire
3.0.1
igniterealtime/openfire
3.1.0
igniterealtime/openfire
3.1.1
igniterealtime/openfire
3.2.0
igniterealtime/openfire
3.2.1
igniterealtime/openfire
3.2.2
... and 15 more
Published
Mar 23, 2009
Tracked Since
Feb 18, 2026