[jdev] [Security] Spoofing of iq ids and misbehaving servers

Alexander Holler holler at ahsoftware.de
Sun Feb 2 06:33:26 UTC 2014

Am 02.02.2014 02:30, schrieb Mark Doliner:
> On Sat, Feb 1, 2014 at 5:20 PM, Alexander Holler <holler at ahsoftware.de> wrote:
>> Am 01.02.2014 20:41, schrieb Mark Doliner:
>>> On Sat, Feb 1, 2014 at 11:20 AM, Alexander Holler <holler at ahsoftware.de> wrote:
>>>> Thijs Alkemade didn't wrote that an already broken server is necessary to
>>>> explore or do something malicious with "delaying" replies or whatever.
>>> An already broken server is NOT necessary. The IQ from malicious user
>>> to target user might look like this:
>>> <iq to="target at domain.lit/Resource" id="someid123" type="result">
>>>     <query xmlns="jabber:iq:roster">
>>>         <item jid="whatever at example.com" subscription="both" />
>>>     </query>
>>> </iq>
>> This is would end up as a reply from the one who send that stanza. So
>> already a wrong sender. If a client doesn't check that, it's as broken
>> as a server which doesn't validate the 'from' attribute.
> Yes, that's exactly the point of this email thread. Thijs wanted to
> raise awareness that in fact many clients DON'T check the 'from' for
> iq replies.

Oh. Based on the subject, the non-disclosed CVE and the description I
had the impression the problem is that don't a make a difference between
'server' or 'myself' in the 'from' attribute of replies and that this
thread was because of misbehaving servers. But not that clients don't
check the 'from' at all which is a slightly difference.

Alexander Holler

More information about the JDev mailing list