Fwd: Openfire should not pass through non-well-formed XML
mark at kingant.net
Tue Aug 17 14:31:50 EDT 2010
---------- Forwarded message ----------
From: daryl herzmann <akrherz at iastate.edu>
Date: Tue, Aug 17, 2010 at 4:36 AM
Subject: Re: Openfire should not pass through non-well-formed XML
To: Mark Doliner <mark at kingant.net>
Cc: "security at igniterealtime.org" <security at igniterealtime.org>
Thanks for your message. Here is a pidgin ticket related to this:
and an openfire ticket along these lines:
I also noted that your reported issue occurs in Tigase. Hopefully
we'll figure out how to fix this.
On Tue, 17 Aug 2010, Mark Doliner wrote:
> Hi! As far as I've been able to tell, XMPP servers should disconnect
> clients that send illegal XML characters. And more importantly,
> XMPP servers should NOT pass through illegal XML characters.
> The original RFC3920 is a little vague on this issue (search for
> "well-formed"), but Peter Saint-Andre's current draft revision is
> fairly clear:
> "An XMPP entity MUST NOT accept data that is not XML-well-formed;
> instead it MUST return an <xml-not-well-formed/> stream error and
> close the stream over which the data was received."
> I'm able to reproduce this bug using Pidgin 2.7.3 in Linux.
> 1. Start two instances of Pidgin (if you're using a single computer
> then you will probably need to use the --multiple flag)
> 2. In each instance, create and login to a separate account on a
> single Openfire server
> 3. In one of the instances, set your status to "away" and type the
> message "test" then <ctrl>+<shift>+u then 013 then space. This will
> insert the ASCII character 013 aka 0x0b aka vertical tab
> 4. The other instance will be disconnected
> Background: I'm a developer on the Pidgin IM client. We had a bug
> reported to us that Pidgin clients disconnect if someone in your buddy
> list inserts an illegal XML character into their status message. I
> believe Pidgin's behavior is correct, according to the XMPP standards.
> This effectively allows clients connected to an Openfire server to
> perform denial of service attacks against each other, which is why I
> believe this is somewhat of a security issue. It appears this issue
> was brought up on your forum some time ago, but there was no
> If you have any questions, or disagree with my conclusions, please let
> me know and we can discuss further.
>  http://www.w3.org/TR/2008/REC-xml-20081126/#charsets
>  http://xmpp.org/rfcs/rfc3920.html
>  http://tools.ietf.org/html/draft-ietf-xmpp-3920bis-12#section-11.3
>  http://community.igniterealtime.org/message/130202
* Daryl Herzmann
* Assistant Scientist -- Iowa Environmental Mesonet
More information about the security