[Security] Spoofing of iq ids and misbehaving servers

Alexander Holler holler at ahsoftware.de
Thu Jan 30 15:36:49 UTC 2014

Am 30.01.2014 13:49, schrieb Thijs Alkemade:

> Then we have Facebook. All replies to iqs without 'to' have
> from='chat.facebook.com':
> C: <iq type='get' id='purple3a6232a6'><ping xmlns='urn:xmpp:ping'/></iq>
> S: <iq from='chat.facebook.com' id='purple3a6232a6' type='result'/>
> jabber.org itself shows a similar problem:
> C: <iq type='set' id='purplec5ae5254'>
>        <session xmlns='urn:ietf:params:xml:ns:xmpp-session'/>
>     </iq>
> S: <iq from='jabber.org' type='result' id='purplec5ae5254'/>

I would say that is correct (and I do the same in my server). No 'to' 
means the target ('to') is the server.

Unfortunately, CVE-2013-6483 still isn't public, so I wonder what the 
problem is when a non-existing 'to' will be replaced by a 'to' with the 
servers jid (usually just the domain). If I read the Pidgin Security 
Advisory correctly, some servers do forward iq-replies which do contain 
a 'from' of the server, which is the real problem. So those failing 
servers do seem to miss a check for the validity of the 'from'.

But replying to an iq without a 'to' with an iq with a 'from' of the 
server is imho correct.


Alexander Holler

More information about the Security mailing list