[standards-jig] JEP-0077 Password Changing Security Flaw

Tomasz Sterna tomek at smoczy.net
Fri Jan 23 20:07:52 UTC 2004


W liście z pią, 23-01-2004, godz. 06:02, JD Conley pisze: 
> I'm not talking about
> security in that context.  I'm talking about a flaw in the protocol.

What You are describing is a flaw in a client, not in the protocol.

There is no way of changing the password without knowing the current
one. You need to auth first to make a change.

I see no reason for requiring it twice.
You already proven that you are a legitimate user.

Every "other implementation" you described is a client-side
implementation. It is a /bin/passwd program or windows "change password
prompt window" that is protecting you from malicious coworkers.
Same should jabber client do.




More information about the Standards mailing list