Am 02.02.2014 02:30, schrieb Mark Doliner: > On Sat, Feb 1, 2014 at 5:20 PM, Alexander Holler <[email protected]> wrote: >> Am 01.02.2014 20:41, schrieb Mark Doliner: >>> On Sat, Feb 1, 2014 at 11:20 AM, Alexander Holler <[email protected]> >>> wrote: >>>> Thijs Alkemade didn't wrote that an already broken server is necessary to >>>> explore or do something malicious with "delaying" replies or whatever. >>> >>> An already broken server is NOT necessary. The IQ from malicious user >>> to target user might look like this: >>> <iq to="[email protected]/Resource" id="someid123" type="result"> >>> <query xmlns="jabber:iq:roster"> >>> <item jid="[email protected]" subscription="both" /> >>> </query> >>> </iq> >> >> This is would end up as a reply from the one who send that stanza. So >> already a wrong sender. If a client doesn't check that, it's as broken >> as a server which doesn't validate the 'from' attribute. > > Yes, that's exactly the point of this email thread. Thijs wanted to > raise awareness that in fact many clients DON'T check the 'from' for > iq replies.
Oh. Based on the subject, the non-disclosed CVE and the description I had the impression the problem is that don't a make a difference between 'server' or 'myself' in the 'from' attribute of replies and that this thread was because of misbehaving servers. But not that clients don't check the 'from' at all which is a slightly difference. Alexander Holler _______________________________________________ JDev mailing list Info: http://mail.jabber.org/mailman/listinfo/jdev Unsubscribe: [email protected] _______________________________________________
