Fwd: Instant disconnect vulnerability
Mark Doliner
mark at kingant.net
Tue Aug 17 04:15:57 EDT 2010
On Sun, Aug 15, 2010 at 10:56 AM, John Bailey <rekkanoryo at rekkanoryo.org> wrote:
> On 08/15/2010 12:22 PM, Cory McIntire wrote:
>>>> Cory: So you're saying that if a user sends that character to a chat
>>>> room, then any Pidgin user in the chat room will get disconnected by
>>>> the jabber server?
>>>
>>> If the server is stupid and allows passing the invalid characters, yes. This
>>> means pretty much every openfire server ever to exist.
>>>
>>
>> Just to clarify, we are running an Openfire server in our environment.
>
> Actually, I wasn't completely clear here. In this case, Pidgin is disconnecting
> because it is receiving the invalid XML. Pidgin does this *because it's
> required to.* (Paul or Etan can, no doubt, point out the exact location in the
> XMPP RFC where this is specified.)
See section 11.3 of the XMPP core RFC:
http://xmpp.org/rfcs/rfc3920.html#xml or
http://tools.ietf.org/html/draft-ietf-xmpp-3920bis-12#section-11.3
And the XML standard:
http://www.w3.org/TR/2008/REC-xml-20081126/#sec-well-formed
> Our issue here is that we're allowing the invalid XML to be sent in the first
> place, which is just complicated by the fact that Openfire is stupid and broken
> and passes any random garbage from any client to any other client. A server
> that isn't broken, such as ejabberd, will disconnect us with a stream error or
> somesuch (I don't remember the details) when it receives the invalid XML from us
> and will *not* pass the invalid XML on to other clients.
>
> Now, as I already said, we've got a bug in that we allow the invalid XML to go
> out. This obviously must be fixed as soon as possible. That said, it's
> actually not a security issue with our code. The Pidgin clients on the
> receiving side are doing exactly as they're supposed to per the XMPP RFC.
After reading a bit, I totally agree. I'll try to make a few changes
to improve this over the next few days. No guarantees.
> The thing that complicates this so much and makes it frustrating for everyone
> involved is that Openfire is not adhering to the XMPP RFC--that's where the
> security issue lies in this case. Since Openfire does not disconnect clients
> that send invalid XML to the server and instead propagates that invalid XML,
> it's actually Openfire causing the denial of service with RFC-compliant clients.
> This particular issue is a perfect example of why the server is required to
> disconnect misbehaving clients and why I hate Openfire with a passion.
I'll report this to them and do my best to get them to fix it. It's
worth pointing out that someone notified them about this 3 years ago
and they mostly ignored it:
http://community.igniterealtime.org/message/130202
But in any case, Pidgin is behaving correctly, so this is not a Pidgin
security problem.
--Mark
More information about the security
mailing list