[Security] [jdev] Spoofing of iq ids and misbehaving servers

Alexander Holler holler at ahsoftware.de
Thu Jan 30 15:53:02 UTC 2014


Am 30.01.2014 16:36, schrieb Alexander Holler:

> Unfortunately, CVE-2013-6483 still isn't public, so I wonder what the
> problem is when a non-existing 'to' will be replaced by a 'to' with the
> servers jid (usually just the domain). If I read the Pidgin Security
> Advisory correctly, some servers do forward iq-replies which do contain
> a 'from' of the server, which is the real problem. So those failing
> servers do seem to miss a check for the validity of the 'from'.

Which is, btw. a bug I've reported (not publicly) for an undisclosed 
commercial XMPP-server in August 2011.

Regards,

Alexander Holler



More information about the Security mailing list