Fwd: Instant disconnect vulnerability

John Bailey rekkanoryo at rekkanoryo.org
Sun Aug 15 13:56:19 EDT 2010 

On 08/15/2010 12:22 PM, Cory McIntire wrote:
>>> Cory: So you're saying that if a user sends that character to a chat
>>> room, then any Pidgin user in the chat room will get disconnected by
>>> the jabber server?
>>
>> If the server is stupid and allows passing the invalid characters, yes.  This
>> means pretty much every openfire server ever to exist.
>>
> 
> Just to clarify, we are running an Openfire server in our environment. 

Actually, I wasn't completely clear here.  In this case, Pidgin is disconnecting
because it is receiving the invalid XML.  Pidgin does this *because it's
required to.*  (Paul or Etan can, no doubt, point out the exact location in the
XMPP RFC where this is specified.)

Our issue here is that we're allowing the invalid XML to be sent in the first
place, which is just complicated by the fact that Openfire is stupid and broken
and passes any random garbage from any client to any other client.  A server
that isn't broken, such as ejabberd, will disconnect us with a stream error or
somesuch (I don't remember the details) when it receives the invalid XML from us
and will *not* pass the invalid XML on to other clients.

Now, as I already said, we've got a bug in that we allow the invalid XML to go
out.  This obviously must be fixed as soon as possible.  That said, it's
actually not a security issue with our code.  The Pidgin clients on the
receiving side are doing exactly as they're supposed to per the XMPP RFC.

The thing that complicates this so much and makes it frustrating for everyone
involved is that Openfire is not adhering to the XMPP RFC--that's where the
security issue lies in this case.  Since Openfire does not disconnect clients
that send invalid XML to the server and instead propagates that invalid XML,
it's actually Openfire causing the denial of service with RFC-compliant clients.
 This particular issue is a perfect example of why the server is required to
disconnect misbehaving clients and why I hate Openfire with a passion.

John

-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 836 bytes
Desc: OpenPGP digital signature
URL: <http://pidgin.im/cgi-bin/mailman/private/security/attachments/20100815/44c2f3b3/attachment.pgp>

More information about the security mailing list