Re: [xmpp] IQ Handling vulnerabilities

Alexander Holler <holler@ahsoftware.de> Sat, 08 February 2014 12:06 UTC

Return-Path: <holler@ahsoftware.de>
X-Original-To: xmpp@ietfa.amsl.com
Delivered-To: xmpp@ietfa.amsl.com
Received: from localhost (ietfa.amsl.com [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id ECC6D1ADF6E for <xmpp@ietfa.amsl.com>; Sat, 8 Feb 2014 04:06:50 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: 0.208
X-Spam-Level:
X-Spam-Status: No, score=0.208 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, HELO_EQ_DE=0.35, HELO_MISMATCH_DE=1.448, HOST_MISMATCH_NET=0.311, SPF_PASS=-0.001] autolearn=no
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id kijL8F2Vq-9f for <xmpp@ietfa.amsl.com>; Sat, 8 Feb 2014 04:06:49 -0800 (PST)
Received: from mail.ahsoftware.de (h1446028.stratoserver.net [85.214.92.142]) by ietfa.amsl.com (Postfix) with ESMTP id 7DD431ADF6B for <xmpp@ietf.org>; Sat, 8 Feb 2014 04:06:49 -0800 (PST)
Received: by mail.ahsoftware.de (Postfix, from userid 65534) id 38385423C2A6; Sat, 8 Feb 2014 13:06:48 +0100 (CET)
Received: from eiche.ahsoftware (p57B230A6.dip0.t-ipconnect.de [87.178.48.166]) (using TLSv1 with cipher ADH-AES256-SHA (256/256 bits)) (No client certificate requested) by mail.ahsoftware.de (Postfix) with ESMTPSA id BC1FF423C2A4 for <xmpp@ietf.org>; Sat, 8 Feb 2014 13:06:33 +0100 (CET)
Received: by eiche.ahsoftware (Postfix, from userid 65534) id 5870180378; Sat, 8 Feb 2014 13:06:32 +0100 (CET)
Received: from krabat.ahsoftware (unknown [IPv6:feee::5246:5dff:fe8b:95f8]) by eiche.ahsoftware (Postfix) with ESMTP id A08E57F897; Sat, 8 Feb 2014 12:06:29 +0000 (UTC)
Message-ID: <52F61DC4.5010308@ahsoftware.de>
Date: Sat, 08 Feb 2014 13:06:28 +0100
From: Alexander Holler <holler@ahsoftware.de>
User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:24.0) Gecko/20100101 Thunderbird/24.2.0
MIME-Version: 1.0
To: kevin@kismith.co.uk
References: <CAOb_FnxS-dMT85N7LHj5M9JWk3pL85=ugrDqaT7j5d28HBr0Cw@mail.gmail.com> <52F4C22C.6080305@ahsoftware.de> <CAOb_FnxCGcdmFGaxZfS4_Sf1goMVXQvX_+QmK77QBNMSyBrEPQ@mail.gmail.com>
In-Reply-To: <CAOb_FnxCGcdmFGaxZfS4_Sf1goMVXQvX_+QmK77QBNMSyBrEPQ@mail.gmail.com>
Content-Type: text/plain; charset=ISO-8859-1; format=flowed
Content-Transfer-Encoding: 7bit
Cc: XMPP Working Group <xmpp@ietf.org>
Subject: Re: [xmpp] IQ Handling vulnerabilities
X-BeenThere: xmpp@ietf.org
X-Mailman-Version: 2.1.15
Precedence: list
List-Id: XMPP Working Group <xmpp.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/xmpp>, <mailto:xmpp-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/xmpp/>
List-Post: <mailto:xmpp@ietf.org>
List-Help: <mailto:xmpp-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/xmpp>, <mailto:xmpp-request@ietf.org?subject=subscribe>
X-List-Received-Date: Sat, 08 Feb 2014 12:06:51 -0000

Am 07.02.2014 13:21, schrieb Kevin Smith:
> On Fri, Feb 7, 2014 at 11:23 AM, Alexander Holler <holler@ahsoftware.de> wrote:

>> A simple rule for clients could be to check that the JID of IQ replies where
>> the origin should be the connected server is either the JID of the server
>> (no node, no resource) or the received bare JID (stripping a possible
>> resource) is the bare JID of the client.
>
> The rules here are clear. If a client sends a stanza without a 'to',
> the server is to handle it as if it was sent to the bare JID of the
> client's session. The server replying with the server JID is a bug.

The rules are only clear for the current RFC 6120, but not for that 
obsolet RFC 3120, which I assume was the base for most available 
XMPP-servers (and many clients).

Regards,

Alexander Holler