[standards-jig] JEP-0077 Password Changing Security Flaw

Justin Karneges justin-keyword-jabber.093179 at affinix.com
Fri Jan 23 20:56:26 UTC 2004


Clients that provide an XML window could still be compromised by manually 
entering the password-changing XML.

There are also other interesting things you can do with such XML windows, like 
enabling 'Plaintext login' and then authenticating while the XML window is 
open.  Of course, the user would need his password saved to disk for this to 
work, which is generally easy for an attacker to retrieve anyway..

I hate to repeat the same old "don't let an untrusted person use your 
computer" mantra, as it is not very productive, but I'm not sure of any other 
good solution.  I suppose the client could be more locked-down so that there 
is no XML window, but at that point you may as well just lock your desktop.

-Justin

On Friday 23 January 2004 12:21 pm, JD Conley wrote:
> Interesting thought. . .
>
> So perhaps we need a directive that clients SHOULD (or MUST maybe?) request
> both the old and new password, attempt to auth on another stream with the
> old password and then, if successful, set the new password.  This would
> make me happy if changing the protocol is out of the question.
>
> JD
>
> > -----Original Message-----
> > From: Tomasz Sterna [mailto:tomek at smoczy.net]
> > Sent: Friday, January 23, 2004 12:08 PM
> > To: standards-jig at jabber.org
> > Subject: RE: [standards-jig] JEP-0077 Password Changing Security Flaw
> >
> > W liście z pią, 23-01-2004, godz. 06:02, JD Conley pisze:
> > > I'm not talking about
> > > security in that context.  I'm talking about a flaw in the protocol.
> >
> > What You are describing is a flaw in a client, not in the protocol.
> >
> > There is no way of changing the password without knowing the current
> > one. You need to auth first to make a change.
> >
> > I see no reason for requiring it twice.
> > You already proven that you are a legitimate user.
> >
> > Every "other implementation" you described is a client-side
> > implementation. It is a /bin/passwd program or windows
> > "change password
> > prompt window" that is protecting you from malicious coworkers.
> > Same should jabber client do.
> >
> > _______________________________________________
> > Standards-JIG mailing list
> > Standards-JIG at jabber.org
> > http://mailman.jabber.org/listinfo/standards-jig
>
> _______________________________________________
> Standards-JIG mailing list
> Standards-JIG at jabber.org
> http://mailman.jabber.org/listinfo/standards-jig



More information about the Standards mailing list