[jdev] [Security] Spoofing of iq ids and misbehaving servers

[Waqas Hussain]

On Sun, Feb 2, 2014 at 1:33 AM, Alexander Holler <holler at ahsoftware.de> wrote:
> Am 02.02.2014 02:30, schrieb Mark Doliner:
>> On Sat, Feb 1, 2014 at 5:20 PM, Alexander Holler <holler at ahsoftware.de> wrote:
>>> Am 01.02.2014 20:41, schrieb Mark Doliner:
>>>> On Sat, Feb 1, 2014 at 11:20 AM, Alexander Holler <holler at ahsoftware.de> wrote:
>>>>> Thijs Alkemade didn't wrote that an already broken server is necessary to
>>>>> explore or do something malicious with "delaying" replies or whatever.
>>>>
>>>> An already broken server is NOT necessary. The IQ from malicious user
>>>> to target user might look like this:
>>>> <iq to="target at domain.lit/Resource" id="someid123" type="result">
>>>>     <query xmlns="jabber:iq:roster">
>>>>         <item jid="whatever at example.com" subscription="both" />
>>>>     </query>
>>>> </iq>
>>>
>>> This is would end up as a reply from the one who send that stanza. So
>>> already a wrong sender. If a client doesn't check that, it's as broken
>>> as a server which doesn't validate the 'from' attribute.
>>
>> Yes, that's exactly the point of this email thread. Thijs wanted to
>> raise awareness that in fact many clients DON'T check the 'from' for
>> iq replies.
>
> Oh. Based on the subject, the non-disclosed CVE and the description I
> had the impression the problem is that don't a make a difference between
> 'server' or 'myself' in the 'from' attribute of replies and that this
> thread was because of misbehaving servers. But not that clients don't
> check the 'from' at all which is a slightly difference.
>

Using the server's hostname in this case is still a bug though.
RFC3920 was vague, but RFC6120 is quite clear on this. Even before
6120's publication this was the consensus (which led to 6120
clarifying it).

In a c2s connection, the default address of the 'c' side is the
connection's full JID, while of the 's' side is the user's bare JID.

--
Waqas Hussain