[jdev] [Security] Spoofing of iq ids and misbehaving servers

Alexander Holler holler at ahsoftware.de
Sat Feb 1 19:20:07 UTC 2014

Am 01.02.2014 19:57, schrieb Mark Doliner:
> On Sat, Feb 1, 2014 at 6:21 AM, Alexander Holler <holler at ahsoftware.de> wrote:
>> I'm able to read. How do you send that reply?
> The malicious user is logged into the user's XMPP server with another
> account. The reply is sent as a normal IQ reply stanza from the
> malicious user's client to the server, and is then routed to the
> target user.

Thijs Alkemade didn't wrote that an already broken server is necessary 
to explore or do something malicious with "delaying" replies or whatever.

It doesn't make sense to talk about things which only are possible if 
the server is already totally broken. If you can spoof the 'from' 
address of stanzas, then you alread have a broken server and nothing 
will help. If the 'from' will not be validated by a server and the 
server will route stanzas with those spoofed sender anyway, then 
security already is at a level near zero.

Anyway, I prefer to quit this discussion, I don't have the need to talk 
with people which do accuse me of not beeing able to read.

Alexander Holler

More information about the JDev mailing list