[jdev] [Security] Spoofing of iq ids and misbehaving servers
holler at ahsoftware.de
Sun Feb 2 01:20:35 UTC 2014
Am 01.02.2014 20:41, schrieb Mark Doliner:
> On Sat, Feb 1, 2014 at 11:20 AM, Alexander Holler <holler at ahsoftware.de> wrote:
>> Thijs Alkemade didn't wrote that an already broken server is necessary to
>> explore or do something malicious with "delaying" replies or whatever.
> An already broken server is NOT necessary. The IQ from malicious user
> to target user might look like this:
> <iq to="target at domain.lit/Resource" id="someid123" type="result">
> <query xmlns="jabber:iq:roster">
> <item jid="whatever at example.com" subscription="both" />
This is would end up as a reply from the one who send that stanza. So
already a wrong sender. If a client doesn't check that, it's as broken
as a server which doesn't validate the 'from' attribute. What should be
that talk about a spoofed ID or random IDs if clients are already unable
to check the sender?
Anyway, have fun.
More information about the JDev