Fwd: Openfire should not pass through non-well-formed XML

Mark Doliner mark at kingant.net
Tue Aug 17 14:31:50 EDT 2010

---------- Forwarded message ----------
From: daryl herzmann <akrherz at iastate.edu>
Date: Tue, Aug 17, 2010 at 4:36 AM
Subject: Re: Openfire should not pass through non-well-formed XML
To: Mark Doliner <mark at kingant.net>
Cc: "security at igniterealtime.org" <security at igniterealtime.org>

Hi Mark,

Thanks for your message.  Here is a pidgin ticket related to this:


and an openfire ticket along these lines:


I also noted that your reported issue occurs in Tigase.  Hopefully
we'll figure out how to fix this.


On Tue, 17 Aug 2010, Mark Doliner wrote:

> Hi!  As far as I've been able to tell, XMPP servers should disconnect
> clients that send illegal XML characters[1].  And more importantly,
> XMPP servers should NOT pass through illegal XML characters.
> The original RFC3920[2] is a little vague on this issue (search for
> "well-formed"), but Peter Saint-Andre's current draft revision[3] is
> fairly clear:
> "An XMPP entity MUST NOT accept data that is not XML-well-formed;
> instead it MUST return an <xml-not-well-formed/> stream error and
> close the stream over which the data was received."
> I'm able to reproduce this bug using Pidgin 2.7.3 in Linux.
> 1. Start two instances of Pidgin (if you're using a single computer
> then you will probably need to use the --multiple flag)
> 2. In each instance, create and login to a separate account on a
> single Openfire server
> 3. In one of the instances, set your status to "away" and type the
> message "test" then <ctrl>+<shift>+u then 013 then space.  This will
> insert the ASCII character 013 aka 0x0b aka vertical tab
> 4. The other instance will be disconnected
> Background: I'm a developer on the Pidgin IM client.  We had a bug
> reported to us that Pidgin clients disconnect if someone in your buddy
> list inserts an illegal XML character into their status message.  I
> believe Pidgin's behavior is correct, according to the XMPP standards.
> This effectively allows clients connected to an Openfire server to
> perform denial of service attacks against each other, which is why I
> believe this is somewhat of a security issue.  It appears this issue
> was brought up on your forum some time ago[4], but there was no
> resolution.
> If you have any questions, or disagree with my conclusions, please let
> me know and we can discuss further.
> Thanks,
> Mark
> [1] http://www.w3.org/TR/2008/REC-xml-20081126/#charsets
> [2] http://xmpp.org/rfcs/rfc3920.html
> [3] http://tools.ietf.org/html/draft-ietf-xmpp-3920bis-12#section-11.3
> [4] http://community.igniterealtime.org/message/130202

 * Daryl Herzmann
 * Assistant Scientist -- Iowa Environmental Mesonet
 * http://mesonet.agron.iastate.edu

More information about the security mailing list