[JDEV] DoS on server component

[Federico Lucifredi]

no, it is sent by a sleepy developer =) -- actually, a client.

I will dig out the packets this weekend and do a more thorough analysis of
what's going on as requested by DJ..

-Federico

----- Original Message -----
From: "Thomas Muldowney" <temas at box5.net>
To: <jdev at jabber.org>
Sent: Friday, May 17, 2002 14:55
Subject: Re: [JDEV] DoS on server component


> Is this sent from the component?  Components are fully trusted and must
> ensure they use a correct from, or else this could happen.
>
> --temas
>
>
>
> DJ Adams wrote:
>
> >On Wed, May 15, 2002 at 06:16:45PM -0400, Federico Lucifredi wrote:
> >
> >
> >>Hello All,
> >>    While I was typing one of countless telnet probes on a server
component
> >>I am trying to develop, I casually managed to DOS my own server... in a
> >>quite unexpected way.
> >>
> >>
> >
> >...
> >
> >
> >
> >>    My code is modeled after DJ Adams example of an RSS news agent, and
for
> >>the purpose of this discussion, I'll use his:
> >>
> >>
> >
> >Uh-oh.... ;-)
> >
> >
> >
> >>Now, in my sleepyness, I did put in the query
> >>
> >><iq id='browse'
> >>    to='rss.jabber.endorfine.org'
> >>    from='bob at jabber.endorfine.org'
> >>    type='get'>
> >>  <query xmlns='jabber:iq:browse'/>
> >></iq>
> >>
> >>Apparently the unnecessay from attribute confuses the toFrom() function,
and
> >>the result is that the message keeps being fed to the component by the
> >>server -
> >>
> >>
> >
> >Hmm, this seems a little odd, especially when one considers that the JSM
will
> >whack on the 'correct' from attribute before it reaches the component. Do
you
> >have any log of the packets as the loop starts?
> >
> >cheers
> >dj
> >_______________________________________________
> >jdev mailing list
> >jdev at jabber.org
> >http://mailman.jabber.org/listinfo/jdev
> >
> >
>
>
>
> _______________________________________________
> jdev mailing list
> jdev at jabber.org
> http://mailman.jabber.org/listinfo/jdev
>