Am 01.02.2014 20:41, schrieb Mark Doliner: > On Sat, Feb 1, 2014 at 11:20 AM, Alexander Holler <[email protected]> > wrote: >> Thijs Alkemade didn't wrote that an already broken server is necessary to >> explore or do something malicious with "delaying" replies or whatever. > > An already broken server is NOT necessary. The IQ from malicious user > to target user might look like this: > <iq to="[email protected]/Resource" id="someid123" type="result"> > <query xmlns="jabber:iq:roster"> > <item jid="[email protected]" subscription="both" /> > </query> > </iq>
This is would end up as a reply from the one who send that stanza. So already a wrong sender. If a client doesn't check that, it's as broken as a server which doesn't validate the 'from' attribute. What should be that talk about a spoofed ID or random IDs if clients are already unable to check the sender? Anyway, have fun. Alexander Holler _______________________________________________ JDev mailing list Info: http://mail.jabber.org/mailman/listinfo/jdev Unsubscribe: [email protected] _______________________________________________
