[Security] [jdev] Spoofing of iq ids and misbehaving servers

Thijs Alkemade me at thijsalkema.de
Thu Jan 30 15:58:09 UTC 2014

On 30 jan. 2014, at 16:36, Alexander Holler <holler at ahsoftware.de> wrote:

> Am 30.01.2014 13:49, schrieb Thijs Alkemade:
>> Then we have Facebook. All replies to iqs without 'to' have
>> from='chat.facebook.com':
>> C: <iq type='get' id='purple3a6232a6'><ping xmlns='urn:xmpp:ping'/></iq>
>> S: <iq from='chat.facebook.com' id='purple3a6232a6' type='result'/>
>> jabber.org itself shows a similar problem:
>> C: <iq type='set' id='purplec5ae5254'>
>>       <session xmlns='urn:ietf:params:xml:ns:xmpp-session'/>
>>    </iq>
>> S: <iq from='jabber.org' type='result' id='purplec5ae5254'/>
> I would say that is correct (and I do the same in my server). No 'to' means the target ('to') is the server.
> Unfortunately, CVE-2013-6483 still isn't public, so I wonder what the problem is when a non-existing 'to' will be replaced by a 'to' with the servers jid (usually just the domain). If I read the Pidgin Security Advisory correctly, some servers do forward iq-replies which do contain a 'from' of the server, which is the real problem. So those failing servers do seem to miss a check for the validity of the 'from'.
> But replying to an iq without a 'to' with an iq with a 'from' of the server is imho correct.
> Regards,
> Alexander Holler

No, that’s wrong. http://xmpp.org/rfcs/rfc6120.html#rules-noto-IQ:

"If the server receives an IQ stanza with no 'to' attribute, it MUST process
the stanza on behalf of the account from which received the stanza, ... by
returning an appropriate IQ stanza of type "result" or "error", responding as
if the server were the bare JID of the sending entity."


-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://mail.jabber.org/pipermail/security/attachments/20140130/2a22a3ca/attachment.html>
-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 801 bytes
Desc: Message signed with OpenPGP using GPGMail
URL: <http://mail.jabber.org/pipermail/security/attachments/20140130/2a22a3ca/attachment.pgp>

More information about the Security mailing list