This issue is fixed with version 3.6.1 (relased on Nov. 14th). Although I'm four days late I wanted to bring this to the attention of Openfire administrators.
Quick summary: It is possible, by using a specially crafted URL, to access the webinterface of Openfire, bypassing authentication. Here is the issue: http://www.igniterealtime.org/issues/browse/JM-1489 Here is a posting by 'ktk', quoting the message as it was posted by Andreas Kurtz on Full Disclosure with some additional information: http://www.igniterealtime.org/community/message/182518
