[Security] [jdev] Spoofing of iq ids and misbehaving servers

Alexander Holler holler at ahsoftware.de
Fri Jan 31 19:04:59 UTC 2014

Am 31.01.2014 18:01, schrieb Mark Doliner:
> On Fri, Jan 31, 2014 at 2:51 AM, Alexander Holler <holler at ahsoftware.de> wrote:
>> In general the reply should always have 'to' and 'from' exchanged. I think
>> any server which doesn't do so, does something wrong.
> Hmm, are you talking about the 'jabber:client' namespace? If so I
> think this statement isn't correct. I think there are times when 'to'
> and 'from' are allowed to be empty. Examples:

I don't talk about any specific namespace. I'm talking about replies and 
I'm ignoring empty 'to' or 'from' as they are just a replacement for 
some specific JID and are a mistake in history.

Anyway, I think this discussion has become out of the topic and we 
should not continue the discussion about empty 'for' or 'to' attributes 
under that topic.

The real problem is that there seem to be some servers out in the wild 
which don't do any validity checks for the 'from' attribute and thus do 
allow spoofing of the 'from' attribute. The correct solution is that no 
client should be allowed to send any stanza, whatever type it is, with a 
'from' which doesn't belong to the account he has been validated for.

The same belongs to s2s connections. A server should always check if the 
'from' attribute in received stanzas do belong to what the remote has 
been validated for, thus forbidding spoofing.


Alexander Holler

More information about the Security mailing list