[jdev] [Security] Spoofing of iq ids and misbehaving servers
holler at ahsoftware.de
Sat Feb 1 19:20:07 UTC 2014
Am 01.02.2014 19:57, schrieb Mark Doliner:
> On Sat, Feb 1, 2014 at 6:21 AM, Alexander Holler <holler at ahsoftware.de> wrote:
>> I'm able to read. How do you send that reply?
> The malicious user is logged into the user's XMPP server with another
> account. The reply is sent as a normal IQ reply stanza from the
> malicious user's client to the server, and is then routed to the
> target user.
Thijs Alkemade didn't wrote that an already broken server is necessary
to explore or do something malicious with "delaying" replies or whatever.
It doesn't make sense to talk about things which only are possible if
the server is already totally broken. If you can spoof the 'from'
address of stanzas, then you alread have a broken server and nothing
will help. If the 'from' will not be validated by a server and the
server will route stanzas with those spoofed sender anyway, then
security already is at a level near zero.
Anyway, I prefer to quit this discussion, I don't have the need to talk
with people which do accuse me of not beeing able to read.
More information about the JDev