On Wed, Jul 02, 2003 at 10:05:11PM +0200, Jacek Konieczny wrote:
3. Impact
The attack cannot be done from Jabber client connection to jabberd 1.4.x server because of similar bug (or feature) in this server - it doesn't check "to" attribute and all such <iq/>s treats as directed to the server. Attacker roster stored on server is modified instead of victims ones.
Wouldn't this still be a concern? The roster on the server would be modified and only corrected if the client exited properly, thus resyncing it's list to the server, right?
Why would it be a concern? It's the *attacker's* roster which would be modified in that case, not the victim's. As an aside, clients typically do not "resync" their lists to the server when they exit.
Julian
_______________________________________________ jdev mailing list [EMAIL PROTECTED] http://mailman.jabber.org/listinfo/jdev
