[Security] [jdev] Spoofing of iq ids and misbehaving servers
holler at ahsoftware.de
Thu Jan 30 15:53:02 UTC 2014
Am 30.01.2014 16:36, schrieb Alexander Holler:
> Unfortunately, CVE-2013-6483 still isn't public, so I wonder what the
> problem is when a non-existing 'to' will be replaced by a 'to' with the
> servers jid (usually just the domain). If I read the Pidgin Security
> Advisory correctly, some servers do forward iq-replies which do contain
> a 'from' of the server, which is the real problem. So those failing
> servers do seem to miss a check for the validity of the 'from'.
Which is, btw. a bug I've reported (not publicly) for an undisclosed
commercial XMPP-server in August 2011.
More information about the Security