[jdev] [Security] Spoofing of iq ids and misbehaving servers
Stefan Karlsson
sk at synergysky.com
Wed Feb 5 12:35:14 UTC 2014
Sorry for not replying to the correct post - I could swear I saw a list
of clients where tickets were created I couldn't find it.
I checked jabbernet and as far as i could trace the code the iqtracker
did not make use of from, only the id field.
I hacked the static NextID() function in jabber/protocol/element.cs to
return Guid.Next().ToString() instead of a statically increased counter.
The correct way should of course be to track the to/from field properly.
If anyone have a google account and/or is active on jabbernet site feel
free to post my concerns on http://code.google.com/p/jabber-net/issues/list
/Stefan
Reason why I am making this post is because i
On 2014-02-01 20:38, Justin Karneges wrote:
> On 01/31/2014 01:51 PM, Thijs Alkemade wrote:
>> Only two clients I've looked at verify that the 'from' actually
>> matches the
>> 'to' the iq was sent to:
>>
>> * Pidgin (libpurple): incrementing counter starting from a random value
>> * Swift: UUID
>
> Also Iris-based clients (Psi, Kopete, Kadu). Iq ids aren't random but
> the from address is checked.
>
> Justin
> _______________________________________________
> JDev mailing list
> Info: http://mail.jabber.org/mailman/listinfo/jdev
> Unsubscribe: JDev-unsubscribe at jabber.org
> _______________________________________________
More information about the JDev
mailing list