[jdev] serious jabberd's 1.4.3 violation of XMPP-Core
Tijl Houtbeckers
thoutbeckers at splendo.com
Sat Oct 16 19:01:42 CDT 2004
On Sat, 16 Oct 2004 19:48:25 -0400, Justin <justin at openaether.org> wrote:
> Alexey Nezhdanov wrote:
>
>> XMPP-Core:
>> 4.3 Stream Security
>> An entity SHOULD NOT attempt to send XML StanzasXML Stanzas over the
>> stream before the stream has been authenticated, but if it does then
>> the other entity MUST NOT accept such stanzas and SHOULD return a
>> <not-authorized/> stream error and then terminate both the XML stream
>> and the underlying TCP connection
>>
>> jabberd 1.4.3 (at least on my host) sends stanzas immidiatedly upon
>> connect, not waiting for dialback auth completion.
>>
> jabberd 1.4.3 is distinctly NOT xmpp compliant. It was written long
> before xmpp and there are no active devlopers.
>
> If you want xmpp compliance then select a modern jabber server.
Well, in this case it's not so much about XMPP compliance. It's just
sounds like a big security leak, regardless which protocol it is meant to
implement!
More information about the JDev
mailing list