[JDEV] [SECURITY] Remote roster manipulation bug in various Jabber clients
Jacek Konieczny
jajcus at bnet.pl
Thu Jul 3 01:28:41 CDT 2003
On Wed, Jul 02, 2003 at 02:41:18PM -0600, Dave Smith wrote:
> > This method changes roster copy in client only and doesn't change
> > original roster on server. But if victim changes the forged entry
> > (eg. to fix a typo) it will be sent to his server. However subscription
> > information cannot be changed this way.
>
> I'm not certain what level of vulnerability this really is -- sending
> an IQ to the client does not make any permanent changes to the users
> roster. At worst, I see a new person on my roster (a cosmetic issue)
> for the duration of my session; when I logout/login the user would be
> gone (since the server-side roster was not updated).
Contact may not only be added but also changed and removed. During
affected session user may write confindental messages or send files to
wrong person (eg. he will send it to contact named "stpeter" in his
roster, but it will come to me, not stpeter if I forged the entry). Even
PGP signatures may not help if attacker's key is known to victims
client as it is jid what is checked, not roster name.
Roster on server may also be modified, but some kind os social
engineering will be needed. One may modify forged entry so its name is
spelled wrong. When victims notices that he may fix it, and the entry
with fixed spelling, but the JID still forged will be sent to server.
I agree this bug is not very dangerous (it is mostly theoreticaly), but
it is a bug and should be fixed.
Greets,
Jacek
More information about the JDev
mailing list