[JDEV] [SECURITY] Remote roster manipulation bug in various Jabber clients
Julian Missig
julian at jabber.org
Wed Jul 2 16:19:19 CDT 2003
On Wednesday, Jul 2, 2003, at 16:53 US/Eastern, Jamin W. Collins wrote:
> On Wed, Jul 02, 2003 at 10:05:11PM +0200, Jacek Konieczny wrote:
>
>> 3. Impact
>>
>> The attack cannot be done from Jabber client connection to jabberd
>> 1.4.x server because of similar bug (or feature) in this server - it
>> doesn't check "to" attribute and all such <iq/>s treats as directed to
>> the server. Attacker roster stored on server is modified instead of
>> victims ones.
>
> Wouldn't this still be a concern? The roster on the server would be
> modified and only corrected if the client exited properly, thus
> resyncing it's list to the server, right?
Why would it be a concern? It's the *attacker's* roster which would be
modified in that case, not the victim's. As an aside, clients typically
do not "resync" their lists to the server when they exit.
Julian
More information about the JDev
mailing list