Fwd: Openfire should not pass through non-well-formed XML

Mark Doliner mark at kingant.net
Tue Aug 17 14:30:57 EDT 2010

Ok, I've contacted the Openfire people.  It turns out Tigase has this
flaw, also, so I contacted them (via a little submission form on their
web site).  I'll forward all the emails to Cory and this list... I
don't know if you guys are actually interested.  If I'm driving you
crazy then let me know and I'll refrain from forwarding more emails
about this in the future.


---------- Forwarded message ----------
From: Mark Doliner <mark at kingant.net>
Date: Tue, Aug 17, 2010 at 1:37 AM
Subject: Openfire should not pass through non-well-formed XML
To: security at igniterealtime.org

Hi!  As far as I've been able to tell, XMPP servers should disconnect
clients that send illegal XML characters[1].  And more importantly,
XMPP servers should NOT pass through illegal XML characters.

The original RFC3920[2] is a little vague on this issue (search for
"well-formed"), but Peter Saint-Andre's current draft revision[3] is
fairly clear:
"An XMPP entity MUST NOT accept data that is not XML-well-formed;
instead it MUST return an <xml-not-well-formed/> stream error and
close the stream over which the data was received."

I'm able to reproduce this bug using Pidgin 2.7.3 in Linux.
1. Start two instances of Pidgin (if you're using a single computer
then you will probably need to use the --multiple flag)
2. In each instance, create and login to a separate account on a
single Openfire server
3. In one of the instances, set your status to "away" and type the
message "test" then <ctrl>+<shift>+u then 013 then space.  This will
insert the ASCII character 013 aka 0x0b aka vertical tab
4. The other instance will be disconnected

Background: I'm a developer on the Pidgin IM client.  We had a bug
reported to us that Pidgin clients disconnect if someone in your buddy
list inserts an illegal XML character into their status message.  I
believe Pidgin's behavior is correct, according to the XMPP standards.
 This effectively allows clients connected to an Openfire server to
perform denial of service attacks against each other, which is why I
believe this is somewhat of a security issue.  It appears this issue
was brought up on your forum some time ago[4], but there was no

If you have any questions, or disagree with my conclusions, please let
me know and we can discuss further.

[1] http://www.w3.org/TR/2008/REC-xml-20081126/#charsets
[2] http://xmpp.org/rfcs/rfc3920.html
[3] http://tools.ietf.org/html/draft-ietf-xmpp-3920bis-12#section-11.3
[4] http://community.igniterealtime.org/message/130202

More information about the security mailing list