[JDEV] Better to forbit sending "subcirbed" directly?
YAMASHITA, Kei
Kei.Yamashita at jp.sony.com
Fri Aug 9 04:09:09 CDT 2002
Hi, all.
// if this issue has been already discussed somewhere,
// please give me a pointer to it....
In current Jabber protocol (jabberd 1.4.2), a user can send
a presence message with type=subscribed to anybody, that is,
even if you have not received a subscription request
(presence type=subscribe) from other person, you can send "subscribed" to
that person.
And when a server receives this direct "subscribed" message,
the server not only adds the receiver into the sender's roster,
but also adds the sender into the receiver automatically.
I think this could be a security problem.
A malicious person can make him into anybody's roster without any
permission, and can send its presence with dubious commercial
message in the <status> tag.
I would like to know if this is a spec or bug,
and if this is a spec,I want to know its original intention.
Thanks in advance,
kei
---
Kei Yamashita, Sony Corporation
More information about the JDev
mailing list