Re: [xmpp] IQ Handling vulnerabilities

Alexander Holler <holler@ahsoftware.de> Sat, 08 February 2014 12:24 UTC

Return-Path: <holler@ahsoftware.de>
X-Original-To: xmpp@ietfa.amsl.com
Delivered-To: xmpp@ietfa.amsl.com
Received: from localhost (ietfa.amsl.com [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 70C4A1A028C for <xmpp@ietfa.amsl.com>; Sat, 8 Feb 2014 04:24:17 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: 2.108
X-Spam-Level: **
X-Spam-Status: No, score=2.108 tagged_above=-999 required=5 tests=[HELO_EQ_DE=0.35, HELO_MISMATCH_DE=1.448, HOST_MISMATCH_NET=0.311, SPF_PASS=-0.001] autolearn=no
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id R7vPb3AD9KDM for <xmpp@ietfa.amsl.com>; Sat, 8 Feb 2014 04:24:15 -0800 (PST)
Received: from mail.ahsoftware.de (h1446028.stratoserver.net [85.214.92.142]) by ietfa.amsl.com (Postfix) with ESMTP id A767F1A00ED for <xmpp@ietf.org>; Sat, 8 Feb 2014 04:24:15 -0800 (PST)
Received: by mail.ahsoftware.de (Postfix, from userid 65534) id 768DA423C2C6; Sat, 8 Feb 2014 13:17:20 +0100 (CET)
Received: from eiche.ahsoftware (p57B230A6.dip0.t-ipconnect.de [87.178.48.166]) (using TLSv1 with cipher ADH-AES256-SHA (256/256 bits)) (No client certificate requested) by mail.ahsoftware.de (Postfix) with ESMTPSA id E11CE423C2BA for <xmpp@ietf.org>; Sat, 8 Feb 2014 13:17:19 +0100 (CET)
Received: by eiche.ahsoftware (Postfix, from userid 65534) id 49AB580378; Sat, 8 Feb 2014 13:17:19 +0100 (CET)
Received: from krabat.ahsoftware (unknown [IPv6:feee::5246:5dff:fe8b:95f8]) by eiche.ahsoftware (Postfix) with ESMTP id A228A7F897; Sat, 8 Feb 2014 12:17:15 +0000 (UTC)
Message-ID: <52F6204B.7050500@ahsoftware.de>
Date: Sat, 08 Feb 2014 13:17:15 +0100
From: Alexander Holler <holler@ahsoftware.de>
User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:24.0) Gecko/20100101 Thunderbird/24.2.0
MIME-Version: 1.0
To: kevin@kismith.co.uk, Dave Cridland <dave@cridland.net>
References: <CAOb_FnxS-dMT85N7LHj5M9JWk3pL85=ugrDqaT7j5d28HBr0Cw@mail.gmail.com> <CF194491.38AD3%jhildebr@cisco.com> <2F5E925F-021D-408E-91D9-3CC5BEB6BEC6@nostrum.com> <48F4D361-4403-47E6-862D-FBDDDEBCC642@xnyhps.nl> <CF1A369C.38BE2%jhildebr@cisco.com> <CAKHUCzyCwKbmnUoXLHW=XzYbiFrcg-dQsDojGUnA-_r3qK+_Vg@mail.gmail.com> <CAOb_Fnx31sVsQMZxG7E0gpv+gSNwfSuOPcEhsCZ2mJS2zFqh_Q@mail.gmail.com>
In-Reply-To: <CAOb_Fnx31sVsQMZxG7E0gpv+gSNwfSuOPcEhsCZ2mJS2zFqh_Q@mail.gmail.com>
Content-Type: text/plain; charset=us-ascii; format=flowed
Content-Transfer-Encoding: 7bit
Cc: Ben Campbell <ben@nostrum.com>, XMPP Working Group <xmpp@ietf.org>
Subject: Re: [xmpp] IQ Handling vulnerabilities
X-BeenThere: xmpp@ietf.org
X-Mailman-Version: 2.1.15
Precedence: list
List-Id: XMPP Working Group <xmpp.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/xmpp>, <mailto:xmpp-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/xmpp/>
List-Post: <mailto:xmpp@ietf.org>
List-Help: <mailto:xmpp-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/xmpp>, <mailto:xmpp-request@ietf.org?subject=subscribe>
X-List-Received-Date: Sat, 08 Feb 2014 12:24:17 -0000

Am 07.02.2014 16:57, schrieb Kevin Smith:

> There are various unlikely (and arguably unimportant, I suppose)
> issues around being able to observe where in a stream a client is. As
> an incredibly contrived example, client A shows client B an id that
> means "You are the first person I'm sending a message to this session"
> and user A says to user B "I'm busy chatting to C in another window".

I would call that information leaks but not vulnerabilities. So 
predictable IDs and resource names might lead to some information leaks, 
but not checking the from is a vulnerability.

Regards,

Alexader Holler