[Security] [jdev] Spoofing of iq ids and misbehaving servers
holler at ahsoftware.de
Fri Jan 31 19:04:59 UTC 2014
Am 31.01.2014 18:01, schrieb Mark Doliner:
> On Fri, Jan 31, 2014 at 2:51 AM, Alexander Holler <holler at ahsoftware.de> wrote:
>> In general the reply should always have 'to' and 'from' exchanged. I think
>> any server which doesn't do so, does something wrong.
> Hmm, are you talking about the 'jabber:client' namespace? If so I
> think this statement isn't correct. I think there are times when 'to'
> and 'from' are allowed to be empty. Examples:
I don't talk about any specific namespace. I'm talking about replies and
I'm ignoring empty 'to' or 'from' as they are just a replacement for
some specific JID and are a mistake in history.
Anyway, I think this discussion has become out of the topic and we
should not continue the discussion about empty 'for' or 'to' attributes
under that topic.
The real problem is that there seem to be some servers out in the wild
which don't do any validity checks for the 'from' attribute and thus do
allow spoofing of the 'from' attribute. The correct solution is that no
client should be allowed to send any stanza, whatever type it is, with a
'from' which doesn't belong to the account he has been validated for.
The same belongs to s2s connections. A server should always check if the
'from' attribute in received stanzas do belong to what the remote has
been validated for, thus forbidding spoofing.
More information about the Security