[jdev] [Security] Spoofing of iq ids and misbehaving servers

Stefan Karlsson sk at synergysky.com
Wed Feb 5 12:35:14 UTC 2014

Sorry for not replying to the correct post - I could swear I saw a list 
of clients where tickets were created I couldn't find it.
I checked jabbernet and as far as i could trace the code the iqtracker 
did not make use of from, only the id field.

I hacked the static NextID()  function in jabber/protocol/element.cs to 
return Guid.Next().ToString() instead of a statically increased counter. 
The correct way should of course be to track the to/from field properly.

If anyone have a google account and/or is active on jabbernet site feel 
free to post my concerns on http://code.google.com/p/jabber-net/issues/list


Reason why I am making this post is because i

On 2014-02-01 20:38, Justin Karneges wrote:
> On 01/31/2014 01:51 PM, Thijs Alkemade wrote:
>> Only two clients I've looked at verify that the 'from' actually 
>> matches the
>> 'to' the iq was sent to:
>> * Pidgin (libpurple): incrementing counter starting from a random value
>> * Swift: UUID
> Also Iris-based clients (Psi, Kopete, Kadu). Iq ids aren't random but 
> the from address is checked.
> Justin
> _______________________________________________
> JDev mailing list
> Info: http://mail.jabber.org/mailman/listinfo/jdev
> Unsubscribe: JDev-unsubscribe at jabber.org
> _______________________________________________

More information about the JDev mailing list