On Wed, Jul 02, 2003 at 10:05:11PM +0200, Jacek Konieczny wrote: > 3. Impact > > The attack cannot be done from Jabber client connection to jabberd > 1.4.x server because of similar bug (or feature) in this server - it > doesn't check "to" attribute and all such <iq/>s treats as directed to > the server. Attacker roster stored on server is modified instead of > victims ones.
Wouldn't this still be a concern? The roster on the server would be modified and only corrected if the client exited properly, thus resyncing it's list to the server, right? -- Jamin W. Collins Remember, root always has a loaded gun. Don't run around with it unless you absolutely need it. -- Vineet Kumar _______________________________________________ jdev mailing list [EMAIL PROTECTED] http://mailman.jabber.org/listinfo/jdev
