[jdev] [Security] Spoofing of iq ids and misbehaving servers

[Alexander Holler]

Am 30.01.2014 16:36, schrieb Alexander Holler:

> Unfortunately, CVE-2013-6483 still isn't public, so I wonder what the
> problem is when a non-existing 'to' will be replaced by a 'to' with the
> servers jid (usually just the domain). If I read the Pidgin Security
> Advisory correctly, some servers do forward iq-replies which do contain
> a 'from' of the server, which is the real problem. So those failing
> servers do seem to miss a check for the validity of the 'from'.

Which is, btw. a bug I've reported (not publicly) for an undisclosed 
commercial XMPP-server in August 2011.

Regards,

Alexander Holler