[Security] [jdev] Spoofing of iq ids and misbehaving servers

Alexander Holler holler at ahsoftware.de
Thu Jan 30 16:20:13 UTC 2014

Am 30.01.2014 16:58, schrieb Thijs Alkemade:
> On 30 jan. 2014, at 16:36, Alexander Holler <holler at ahsoftware.de> wrote:
>> Am 30.01.2014 13:49, schrieb Thijs Alkemade:
>>> Then we have Facebook. All replies to iqs without 'to' have
>>> from='chat.facebook.com':
>>> C: <iq type='get' id='purple3a6232a6'><ping xmlns='urn:xmpp:ping'/></iq>
>>> S: <iq from='chat.facebook.com' id='purple3a6232a6' type='result'/>
>>> jabber.org itself shows a similar problem:
>>> C: <iq type='set' id='purplec5ae5254'>
>>>        <session xmlns='urn:ietf:params:xml:ns:xmpp-session'/>
>>>     </iq>
>>> S: <iq from='jabber.org' type='result' id='purplec5ae5254'/>
>> I would say that is correct (and I do the same in my server). No 'to' means the target ('to') is the server.
>> Unfortunately, CVE-2013-6483 still isn't public, so I wonder what the problem is when a non-existing 'to' will be replaced by a 'to' with the servers jid (usually just the domain). If I read the Pidgin Security Advisory correctly, some servers do forward iq-replies which do contain a 'from' of the server, which is the real problem. So those failing servers do seem to miss a check for the validity of the 'from'.
>> But replying to an iq without a 'to' with an iq with a 'from' of the server is imho correct.
>> Regards,
>> Alexander Holler
> No, that’s wrong. http://xmpp.org/rfcs/rfc6120.html#rules-noto-IQ:
> "If the server receives an IQ stanza with no 'to' attribute, it MUST process
> the stanza on behalf of the account from which received the stanza, ... by
> returning an appropriate IQ stanza of type "result" or "error", responding as
> if the server were the bare JID of the sending entity."

Unfortunately that 'bare JID' is missed in rfc 3920 (10.1) and I can't 
remember why I've implemented it here such, that a missing 'to' will be 
replaced by a 'to' with the servers JID. Maybe because of clients which 
didn't worked otherwise, maybe because I didn't interpret 'MUST either 
process the stanza on behalf of sending entity' such that 'to' should 
include the node, maybe because of something else.

But to conclude, I find it confusing that a stanza

<iq from='user at server' to='user at server'>...</iq>

should be the same as a stanza

<iq from='user at server'>...</iq>


Alexander Holler

More information about the Security mailing list