Fwd: Openfire should not pass through non-well-formed XML

Mark Doliner mark at kingant.net
Tue Aug 17 14:32:08 EDT 2010 

---------- Forwarded message ----------
From: Mark Doliner <mark at kingant.net>
Date: Tue, Aug 17, 2010 at 9:17 AM
Subject: Re: Openfire should not pass through non-well-formed XML
To: Guus der Kinderen <guus.der.kinderen at gmail.com>
Cc: security <security at igniterealtime.org>


Hi Guus.  I used Openfire 3.6.4 (the latest version listed at
http://www.igniterealtime.org/downloads/index.jsp) when testing.  I
tested with igniterealtime.org just now and it is also affected.

Thanks,
Mark

On Tue, Aug 17, 2010 at 1:49 AM, Guus der Kinderen
<guus.der.kinderen at gmail.com> wrote:
> Hi Mark,
>
> Thanks for reporting this problem in such a detailed way. I'm
> currently very occupied with my daytime job - I'll look into this the
> first opportunity that I have though. In the mean time: from the top
> of my head, I remember that we've fixed a similar bug in the past.
> What version of the Openfire server are you using to reproduce this
> bug? Can you reproduce this bug on the igniterealtime.org domain
> (which runs the latest trunk version of Openfire)?
>
> Regards,
>
>  Guus
>
> On 17 August 2010 10:37, Mark Doliner <mark at kingant.net> wrote:
>> Hi!  As far as I've been able to tell, XMPP servers should disconnect
>> clients that send illegal XML characters[1].  And more importantly,
>> XMPP servers should NOT pass through illegal XML characters.
>>
>> The original RFC3920[2] is a little vague on this issue (search for
>> "well-formed"), but Peter Saint-Andre's current draft revision[3] is
>> fairly clear:
>> "An XMPP entity MUST NOT accept data that is not XML-well-formed;
>> instead it MUST return an <xml-not-well-formed/> stream error and
>> close the stream over which the data was received."
>>
>> I'm able to reproduce this bug using Pidgin 2.7.3 in Linux.
>> 1. Start two instances of Pidgin (if you're using a single computer
>> then you will probably need to use the --multiple flag)
>> 2. In each instance, create and login to a separate account on a
>> single Openfire server
>> 3. In one of the instances, set your status to "away" and type the
>> message "test" then <ctrl>+<shift>+u then 013 then space.  This will
>> insert the ASCII character 013 aka 0x0b aka vertical tab
>> 4. The other instance will be disconnected
>>
>> Background: I'm a developer on the Pidgin IM client.  We had a bug
>> reported to us that Pidgin clients disconnect if someone in your buddy
>> list inserts an illegal XML character into their status message.  I
>> believe Pidgin's behavior is correct, according to the XMPP standards.
>>  This effectively allows clients connected to an Openfire server to
>> perform denial of service attacks against each other, which is why I
>> believe this is somewhat of a security issue.  It appears this issue
>> was brought up on your forum some time ago[4], but there was no
>> resolution.
>>
>> If you have any questions, or disagree with my conclusions, please let
>> me know and we can discuss further.
>> Thanks,
>> Mark
>>
>> [1] http://www.w3.org/TR/2008/REC-xml-20081126/#charsets
>> [2] http://xmpp.org/rfcs/rfc3920.html
>> [3] http://tools.ietf.org/html/draft-ietf-xmpp-3920bis-12#section-11.3
>> [4] http://community.igniterealtime.org/message/130202
>>
>

More information about the security mailing list