[JDEV] [SECURITY] Remote roster manipulation bug in various Jabber clients
Jamin W. Collins
jcollins at asgardsrealm.net
Wed Jul 2 15:53:18 CDT 2003
On Wed, Jul 02, 2003 at 10:05:11PM +0200, Jacek Konieczny wrote:
> 3. Impact
>
> The attack cannot be done from Jabber client connection to jabberd
> 1.4.x server because of similar bug (or feature) in this server - it
> doesn't check "to" attribute and all such <iq/>s treats as directed to
> the server. Attacker roster stored on server is modified instead of
> victims ones.
Wouldn't this still be a concern? The roster on the server would be
modified and only corrected if the client exited properly, thus
resyncing it's list to the server, right?
--
Jamin W. Collins
Remember, root always has a loaded gun. Don't run around with it unless
you absolutely need it. -- Vineet Kumar
More information about the JDev
mailing list