[MU-Conference] forging names in mu-conference
Peter Saint-Andre
stpeter at jabber.org
Thu Mar 18 11:13:30 CST 2004
On Thu, Mar 18, 2004 at 09:41:24AM -0500, Hedemark, Magnus wrote:
> I'm running the latest stable mu-conference on a Jabber 1.4 server for
> internal corporate IM use. I don't know if this is a flaw in the protocol
> or put in there by design or what, but I was able to pretty thoroughly freak
> some people out by joining a chat room and changing my alias to that of a
> company executive and telling a few people to go home. Of course I very
> quickly told them it was a joke but the point is that there doesn't seem to
> be any way to prevent people from joining a conference with a falsified ID.
>
> Is there an undocumented feature I'm missing maybe or some flag that can be
> set to force people to join a room with their JID as their nick? The JID's
> are tied directly to our single sign-on system so if someone joins a room
> with their JID as their nick we can be pretty sure they are who they say
> they are.
That's part of the protocol: you can be whomever you want to be in a
chatroom. A given implementation could lock down room nicknames (e.g.,
your roomnick must be your JID), but as far as I know none of them do
yet. Or you could force all rooms to be non-anonymous and modify the
client you're using to show people as their JIDs rather than as their
room nicknames. Or you could modify the client to send the JID as the
roomnick. Etc.
Peter
--
Peter Saint-Andre
Jabber Software Foundation
http://www.jabber.org/people/stpeter.php
More information about the MU-Conference
mailing list