[Security] [jdev] Spoofing of iq ids and misbehaving servers

Alexander Holler holler at ahsoftware.de
Sun Feb 2 10:39:02 UTC 2014


Am 02.02.2014 09:23, schrieb Waqas Hussain:

> 
> Using the server's hostname in this case is still a bug though.
> RFC3920 was vague, but RFC6120 is quite clear on this. Even before
> 6120's publication this was the consensus (which led to 6120
> clarifying it).
> 
> In a c2s connection, the default address of the 'c' side is the
> connection's full JID, while of the 's' side is the user's bare JID.

No. for me, and as it looks, some other server authors, the obvious
content of a missing 'to' is the direct communcation partner to which
the stanza is send to.

If you have a c2s connection and the client sends a stanza without 'to'
(client -> server), it is for sure not obvious that the client itself is
the what the missing 'to' should be.

And if you change the RFC, you can't blame servers as the changed RFC
made them non-compliant.

Regards,

Alexander Holler


More information about the Security mailing list