-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1
On Wednesday, Jul 2, 2003, at 14:05 America/Denver, Jacek Konieczny wrote:
By using this vulnerability and modifying someone's roster one may make
him start chat or send file to a person user doesn't intend contact
with. This would require send one <iq/> to remove original entry, second
one to add new entry with the same name and usually <presence/> to show
the contact available. The new JID will usually be visible in chat
window or in roster item details, but users usually care about contact
name only.
This method changes roster copy in client only and doesn't change original roster on server. But if victim changes the forged entry (eg. to fix a typo) it will be sent to his server. However subscription information cannot be changed this way.
I'm not certain what level of vulnerability this really is -- sending an IQ to the client does not make any permanent changes to the users roster. At worst, I see a new person on my roster (a cosmetic issue) for the duration of my session; when I logout/login the user would be gone (since the server-side roster was not updated).
Also note that people can already send messages (and request file transfers) to others without being on the recipients roster.
5. Proposed fix
In clients before handling roster pushes check "from" attribute and drop
the request if "from" is set and is not session's full JID.
Sure -- that's a reasonable way to avoid the fix.
6. Possible workaround
On server drop all <iq/> stanzas from "outside" containing "jabber:iq:roster" namespace. However, this breaks normal XMPP stanza routing rules.
As noted, that would break routing for a variety of reasons -- I strongly discourage anyone from trying this approach.
D. -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.2.1 (Darwin)
iD8DBQE/A0NuYNE3chVHHsMRAmrjAJ47TePw0iu3A8hN9jnzVcaQAdEr+QCfbBCM ktw7MtBl07OW8Ydk94TQwu0= =3ohT -----END PGP SIGNATURE-----
_______________________________________________ jdev mailing list [EMAIL PROTECTED] http://mailman.jabber.org/listinfo/jdev
