Am 30.01.2014 16:36, schrieb Alexander Holler:
Unfortunately, CVE-2013-6483 still isn't public, so I wonder what the problem is when a non-existing 'to' will be replaced by a 'to' with the servers jid (usually just the domain). If I read the Pidgin Security Advisory correctly, some servers do forward iq-replies which do contain a 'from' of the server, which is the real problem. So those failing servers do seem to miss a check for the validity of the 'from'.
Which is, btw. a bug I've reported (not publicly) for an undisclosed commercial XMPP-server in August 2011.
Regards, Alexander Holler _______________________________________________ JDev mailing list Info: http://mail.jabber.org/mailman/listinfo/jdev Unsubscribe: [email protected] _______________________________________________
