[JDEV] [SECURITY] Remote roster manipulation bug in various Jabber clients
Dave Smith
dizzyd at jabber.org
Wed Jul 2 15:41:18 CDT 2003
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
On Wednesday, Jul 2, 2003, at 14:05 America/Denver, Jacek Konieczny
wrote:
> By using this vulnerability and modifying someone's roster one may make
> him start chat or send file to a person user doesn't intend contact
> with. This would require send one <iq/> to remove original entry,
> second
> one to add new entry with the same name and usually <presence/> to show
> the contact available. The new JID will usually be visible in chat
> window or in roster item details, but users usually care about contact
> name only.
>
> This method changes roster copy in client only and doesn't change
> original roster on server. But if victim changes the forged entry
> (eg. to fix a typo) it will be sent to his server. However subscription
> information cannot be changed this way.
I'm not certain what level of vulnerability this really is -- sending
an IQ to the client does not make any permanent changes to the users
roster. At worst, I see a new person on my roster (a cosmetic issue)
for the duration of my session; when I logout/login the user would be
gone (since the server-side roster was not updated).
Also note that people can already send messages (and request file
transfers) to others without being on the recipients roster.
> 5. Proposed fix
>
> In clients before handling roster pushes check "from" attribute and
> drop
> the request if "from" is set and is not session's full JID.
Sure -- that's a reasonable way to avoid the fix.
> 6. Possible workaround
>
> On server drop all <iq/> stanzas from "outside" containing
> "jabber:iq:roster" namespace. However, this breaks normal XMPP stanza
> routing rules.
As noted, that would break routing for a variety of reasons -- I
strongly discourage anyone from trying this approach.
D.
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.2.1 (Darwin)
iD8DBQE/A0NuYNE3chVHHsMRAmrjAJ47TePw0iu3A8hN9jnzVcaQAdEr+QCfbBCM
ktw7MtBl07OW8Ydk94TQwu0=
=3ohT
-----END PGP SIGNATURE-----
More information about the JDev
mailing list