[jdev] [Security] Spoofing of iq ids and misbehaving servers

Waqas Hussain waqas20 at gmail.com
Sun Feb 2 08:23:05 UTC 2014

On Sun, Feb 2, 2014 at 1:33 AM, Alexander Holler <holler at ahsoftware.de> wrote:
> Am 02.02.2014 02:30, schrieb Mark Doliner:
>> On Sat, Feb 1, 2014 at 5:20 PM, Alexander Holler <holler at ahsoftware.de> wrote:
>>> Am 01.02.2014 20:41, schrieb Mark Doliner:
>>>> On Sat, Feb 1, 2014 at 11:20 AM, Alexander Holler <holler at ahsoftware.de> wrote:
>>>>> Thijs Alkemade didn't wrote that an already broken server is necessary to
>>>>> explore or do something malicious with "delaying" replies or whatever.
>>>> An already broken server is NOT necessary. The IQ from malicious user
>>>> to target user might look like this:
>>>> <iq to="target at domain.lit/Resource" id="someid123" type="result">
>>>>     <query xmlns="jabber:iq:roster">
>>>>         <item jid="whatever at example.com" subscription="both" />
>>>>     </query>
>>>> </iq>
>>> This is would end up as a reply from the one who send that stanza. So
>>> already a wrong sender. If a client doesn't check that, it's as broken
>>> as a server which doesn't validate the 'from' attribute.
>> Yes, that's exactly the point of this email thread. Thijs wanted to
>> raise awareness that in fact many clients DON'T check the 'from' for
>> iq replies.
> Oh. Based on the subject, the non-disclosed CVE and the description I
> had the impression the problem is that don't a make a difference between
> 'server' or 'myself' in the 'from' attribute of replies and that this
> thread was because of misbehaving servers. But not that clients don't
> check the 'from' at all which is a slightly difference.

Using the server's hostname in this case is still a bug though.
RFC3920 was vague, but RFC6120 is quite clear on this. Even before
6120's publication this was the consensus (which led to 6120
clarifying it).

In a c2s connection, the default address of the 'c' side is the
connection's full JID, while of the 's' side is the user's bare JID.

Waqas Hussain

More information about the JDev mailing list