[jdev] [Security] Spoofing of iq ids and misbehaving servers

Mark Doliner mark at kingant.net
Sun Feb 2 01:30:47 UTC 2014

On Sat, Feb 1, 2014 at 5:20 PM, Alexander Holler <holler at ahsoftware.de> wrote:
> Am 01.02.2014 20:41, schrieb Mark Doliner:
>> On Sat, Feb 1, 2014 at 11:20 AM, Alexander Holler <holler at ahsoftware.de> wrote:
>>> Thijs Alkemade didn't wrote that an already broken server is necessary to
>>> explore or do something malicious with "delaying" replies or whatever.
>> An already broken server is NOT necessary. The IQ from malicious user
>> to target user might look like this:
>> <iq to="target at domain.lit/Resource" id="someid123" type="result">
>>     <query xmlns="jabber:iq:roster">
>>         <item jid="whatever at example.com" subscription="both" />
>>     </query>
>> </iq>
> This is would end up as a reply from the one who send that stanza. So
> already a wrong sender. If a client doesn't check that, it's as broken
> as a server which doesn't validate the 'from' attribute.

Yes, that's exactly the point of this email thread. Thijs wanted to
raise awareness that in fact many clients DON'T check the 'from' for
iq replies.

More information about the JDev mailing list