On Sat, Feb 1, 2014 at 5:20 PM, Alexander Holler <hol...@ahsoftware.de> wrote: > Am 01.02.2014 20:41, schrieb Mark Doliner: >> On Sat, Feb 1, 2014 at 11:20 AM, Alexander Holler <hol...@ahsoftware.de> >> wrote: >>> Thijs Alkemade didn't wrote that an already broken server is necessary to >>> explore or do something malicious with "delaying" replies or whatever. >> >> An already broken server is NOT necessary. The IQ from malicious user >> to target user might look like this: >> <iq to="tar...@domain.lit/Resource" id="someid123" type="result"> >> <query xmlns="jabber:iq:roster"> >> <item jid="whate...@example.com" subscription="both" /> >> </query> >> </iq> > > This is would end up as a reply from the one who send that stanza. So > already a wrong sender. If a client doesn't check that, it's as broken > as a server which doesn't validate the 'from' attribute.
Yes, that's exactly the point of this email thread. Thijs wanted to raise awareness that in fact many clients DON'T check the 'from' for iq replies. _______________________________________________ JDev mailing list Info: http://mail.jabber.org/mailman/listinfo/jdev Unsubscribe: jdev-unsubscr...@jabber.org _______________________________________________
