Re: [jdev] [Security] Spoofing of iq ids and misbehaving servers

Thu, 30 Jan 2014 08:22:43 -0800 

Am 30.01.2014 16:58, schrieb Thijs Alkemade:


On 30 jan. 2014, at 16:36, Alexander Holler <[email protected]> wrote:


Am 30.01.2014 13:49, schrieb Thijs Alkemade:



Then we have Facebook. All replies to iqs without 'to' have
from='chat.facebook.com':

C: <iq type='get' id='purple3a6232a6'><ping xmlns='urn:xmpp:ping'/></iq>
S: <iq from='chat.facebook.com' id='purple3a6232a6' type='result'/>

jabber.org itself shows a similar problem:

C: <iq type='set' id='purplec5ae5254'>
       <session xmlns='urn:ietf:params:xml:ns:xmpp-session'/>
    </iq>
S: <iq from='jabber.org' type='result' id='purplec5ae5254'/>



I would say that is correct (and I do the same in my server). No 'to' means the 
target ('to') is the server.

Unfortunately, CVE-2013-6483 still isn't public, so I wonder what the problem 
is when a non-existing 'to' will be replaced by a 'to' with the servers jid 
(usually just the domain). If I read the Pidgin Security Advisory correctly, 
some servers do forward iq-replies which do contain a 'from' of the server, 
which is the real problem. So those failing servers do seem to miss a check for 
the validity of the 'from'.

But replying to an iq without a 'to' with an iq with a 'from' of the server is 
imho correct.

Regards,

Alexander Holler


No, that’s wrong. http://xmpp.org/rfcs/rfc6120.html#rules-noto-IQ:

"If the server receives an IQ stanza with no 'to' attribute, it MUST process
the stanza on behalf of the account from which received the stanza, ... by
returning an appropriate IQ stanza of type "result" or "error", responding as
if the server were the bare JID of the sending entity."



Unfortunately that 'bare JID' is missed in rfc 3920 (10.1) and I can't 
remember why I've implemented it here such, that a missing 'to' will be 
replaced by a 'to' with the servers JID. Maybe because of clients which 
didn't worked otherwise, maybe because I didn't interpret 'MUST either 
process the stanza on behalf of sending entity' such that 'to' should 
include the node, maybe because of something else.


But to conclude, I find it confusing that a stanza

<iq from='user@server' to='user@server'>...</iq>

should be the same as a stanza

<iq from='user@server'>...</iq>

Regards,

Alexander Holler


_______________________________________________
JDev mailing list
Info: http://mail.jabber.org/mailman/listinfo/jdev
Unsubscribe: [email protected]
_______________________________________________






















					Reply via email to