Fwd: Openfire should not pass through non-well-formed XML

Mark Doliner mark at kingant.net
Tue Aug 17 14:31:16 EDT 2010

---------- Forwarded message ----------
From: Guus der Kinderen <guus.der.kinderen at gmail.com>
Date: Tue, Aug 17, 2010 at 1:49 AM
Subject: Re: Openfire should not pass through non-well-formed XML
To: Mark Doliner <mark at kingant.net>
Cc: security <security at igniterealtime.org>

Hi Mark,

Thanks for reporting this problem in such a detailed way. I'm
currently very occupied with my daytime job - I'll look into this the
first opportunity that I have though. In the mean time: from the top
of my head, I remember that we've fixed a similar bug in the past.
What version of the Openfire server are you using to reproduce this
bug? Can you reproduce this bug on the igniterealtime.org domain
(which runs the latest trunk version of Openfire)?



On 17 August 2010 10:37, Mark Doliner <mark at kingant.net> wrote:
> Hi!  As far as I've been able to tell, XMPP servers should disconnect
> clients that send illegal XML characters[1].  And more importantly,
> XMPP servers should NOT pass through illegal XML characters.
> The original RFC3920[2] is a little vague on this issue (search for
> "well-formed"), but Peter Saint-Andre's current draft revision[3] is
> fairly clear:
> "An XMPP entity MUST NOT accept data that is not XML-well-formed;
> instead it MUST return an <xml-not-well-formed/> stream error and
> close the stream over which the data was received."
> I'm able to reproduce this bug using Pidgin 2.7.3 in Linux.
> 1. Start two instances of Pidgin (if you're using a single computer
> then you will probably need to use the --multiple flag)
> 2. In each instance, create and login to a separate account on a
> single Openfire server
> 3. In one of the instances, set your status to "away" and type the
> message "test" then <ctrl>+<shift>+u then 013 then space.  This will
> insert the ASCII character 013 aka 0x0b aka vertical tab
> 4. The other instance will be disconnected
> Background: I'm a developer on the Pidgin IM client.  We had a bug
> reported to us that Pidgin clients disconnect if someone in your buddy
> list inserts an illegal XML character into their status message.  I
> believe Pidgin's behavior is correct, according to the XMPP standards.
>  This effectively allows clients connected to an Openfire server to
> perform denial of service attacks against each other, which is why I
> believe this is somewhat of a security issue.  It appears this issue
> was brought up on your forum some time ago[4], but there was no
> resolution.
> If you have any questions, or disagree with my conclusions, please let
> me know and we can discuss further.
> Thanks,
> Mark
> [1] http://www.w3.org/TR/2008/REC-xml-20081126/#charsets
> [2] http://xmpp.org/rfcs/rfc3920.html
> [3] http://tools.ietf.org/html/draft-ietf-xmpp-3920bis-12#section-11.3
> [4] http://community.igniterealtime.org/message/130202

More information about the security mailing list