Fwd: Instant disconnect vulnerability

Mark Doliner mark at kingant.net
Tue Aug 17 04:15:57 EDT 2010

On Sun, Aug 15, 2010 at 10:56 AM, John Bailey <rekkanoryo at rekkanoryo.org> wrote:
> On 08/15/2010 12:22 PM, Cory McIntire wrote:
>>>> Cory: So you're saying that if a user sends that character to a chat
>>>> room, then any Pidgin user in the chat room will get disconnected by
>>>> the jabber server?
>>> If the server is stupid and allows passing the invalid characters, yes.  This
>>> means pretty much every openfire server ever to exist.
>> Just to clarify, we are running an Openfire server in our environment.
> Actually, I wasn't completely clear here.  In this case, Pidgin is disconnecting
> because it is receiving the invalid XML.  Pidgin does this *because it's
> required to.*  (Paul or Etan can, no doubt, point out the exact location in the
> XMPP RFC where this is specified.)

See section 11.3 of the XMPP core RFC:
http://xmpp.org/rfcs/rfc3920.html#xml or
And the XML standard:

> Our issue here is that we're allowing the invalid XML to be sent in the first
> place, which is just complicated by the fact that Openfire is stupid and broken
> and passes any random garbage from any client to any other client.  A server
> that isn't broken, such as ejabberd, will disconnect us with a stream error or
> somesuch (I don't remember the details) when it receives the invalid XML from us
> and will *not* pass the invalid XML on to other clients.
> Now, as I already said, we've got a bug in that we allow the invalid XML to go
> out.  This obviously must be fixed as soon as possible.  That said, it's
> actually not a security issue with our code.  The Pidgin clients on the
> receiving side are doing exactly as they're supposed to per the XMPP RFC.

After reading a bit, I totally agree.  I'll try to make a few changes
to improve this over the next few days.  No guarantees.

> The thing that complicates this so much and makes it frustrating for everyone
> involved is that Openfire is not adhering to the XMPP RFC--that's where the
> security issue lies in this case.  Since Openfire does not disconnect clients
> that send invalid XML to the server and instead propagates that invalid XML,
> it's actually Openfire causing the denial of service with RFC-compliant clients.
>  This particular issue is a perfect example of why the server is required to
> disconnect misbehaving clients and why I hate Openfire with a passion.

I'll report this to them and do my best to get them to fix it.  It's
worth pointing out that someone notified them about this 3 years ago
and they mostly ignored it:

But in any case, Pidgin is behaving correctly, so this is not a Pidgin
security problem.


More information about the security mailing list