I've filed tickets today for: XMPPFramework: https://github.com/robbiehanson/XMPPFramework/issues/300 Strophe.js: https://github.com/strophe/strophejs/issues/56 SleekXMPP: https://github.com/fritzy/SleekXMPP/issues/278 Miranda-NG: http://trac.miranda-ng.org/ticket/569
A ticket for SMACK already existed: http://issues.igniterealtime.org/browse/SMACK-533?jql=project%20%3D%20SMACK All of these I managed to spoof in one way or another. Additionally, I found out both XMPPFramework and SMACK do not check the 'from' on roster pushes. This means that any attacker who knows your resource can, at any moment, so not just a well-timed 100ms window during login, add new entries to somebody's roster. That was filed separately for SMACK here: http://issues.igniterealtime.org/browse/SMACK-538?jql=project%20%3D%20SMACK Gajim seems to be working properly, all attempts I made did not work (spoofing vcards, iq:version replies, rosters). InstantBird is still using libpurple instead of their JS implementation, so investigating that again was not necessary. I could not get tkabber to run, so I did not test that further. Thijs
signature.asc
Description: Message signed with OpenPGP using GPGMail
_______________________________________________ JDev mailing list Info: http://mail.jabber.org/mailman/listinfo/jdev Unsubscribe: [email protected] _______________________________________________
