[jdev] [Security] Spoofing of iq ids and misbehaving servers
Alexander Holler
holler at ahsoftware.de
Thu Jan 30 15:36:49 UTC 2014
Am 30.01.2014 13:49, schrieb Thijs Alkemade:
> Then we have Facebook. All replies to iqs without 'to' have
> from='chat.facebook.com':
>
> C: <iq type='get' id='purple3a6232a6'><ping xmlns='urn:xmpp:ping'/></iq>
> S: <iq from='chat.facebook.com' id='purple3a6232a6' type='result'/>
>
> jabber.org itself shows a similar problem:
>
> C: <iq type='set' id='purplec5ae5254'>
> <session xmlns='urn:ietf:params:xml:ns:xmpp-session'/>
> </iq>
> S: <iq from='jabber.org' type='result' id='purplec5ae5254'/>
>
I would say that is correct (and I do the same in my server). No 'to'
means the target ('to') is the server.
Unfortunately, CVE-2013-6483 still isn't public, so I wonder what the
problem is when a non-existing 'to' will be replaced by a 'to' with the
servers jid (usually just the domain). If I read the Pidgin Security
Advisory correctly, some servers do forward iq-replies which do contain
a 'from' of the server, which is the real problem. So those failing
servers do seem to miss a check for the validity of the 'from'.
But replying to an iq without a 'to' with an iq with a 'from' of the
server is imho correct.
Regards,
Alexander Holler
More information about the JDev
mailing list