Fwd: [Support request] Tigase XMPP server should not pass through non-well-formed XML
Mark Doliner
mark at kingant.net
Tue Aug 17 19:21:48 EDT 2010
---------- Forwarded message ----------
From: Artur Hefczyc <artur.hefczyc at tigase.org>
Date: Tue, Aug 17, 2010 at 3:59 PM
Subject: Re: [Support request] Tigase XMPP server should not pass
through non-well-formed XML
To: mark at kingant.net
Hi Mark,
Thank you for your message and letting me know about the problem.
I will look at it at the earliest possible time.
By the way is really the 0x0b character an invalid XML character?
Artur
On Aug 17, 2010, at 2:25 PM, Tigase.org Support wrote:
> Mark Doliner sent a message using the contact form at
> http://www.tigase.org/contact.
>
> Hi! As far as I've been able to tell, XMPP servers should disconnect clients
> that send illegal XML characters[1]. And more importantly, XMPP servers
> should NOT pass through illegal XML characters.
>
> The original RFC3920[2] is a little vague on this issue (search for
> "well-formed"), but Peter Saint-Andre's current draft revision[3] is fairly
> clear:
> "An XMPP entity MUST NOT accept data that is not XML-well-formed; instead it
> MUST return an <xml-not-well-formed/> stream error and close the stream over
> which the data was received."
>
> I'm able to reproduce this bug using Pidgin 2.7.3 in Linux.
> 1. Start two instances of Pidgin (if you're using a single computer then you
> will probably need to use the --multiple flag)
> 2. In each instance, login to a separate account on a single Tigase server (I
> used tigase.im)
> 3. In one of the instances, set your status to "away" and type the message
> "test" then <ctrl>+<shift>+u then 013 then space. This will insert the ASCII
> character 013 aka 0x0b aka vertical tab
> 4. The other instance will be disconnected
>
> Background: I'm a developer on the Pidgin IM client. We had a bug reported
> to us that Pidgin clients disconnect if someone in your buddy list inserts an
> illegal XML character into their status message. I believe Pidgin's behavior
> is correct, according to the XMPP standards. This effectively allows clients
> connected to a Tigase server to perform denial of service attacks against
> each other, which is why I believe this is somewhat of a security issue.
>
> If you have any questions, or disagree with my conclusions, or if there is a
> better place for me to report this, please let me know and we can discuss
> further.
> Thanks,
> Mark
>
> [1] http://www.w3.org/TR/2008/REC-xml-20081126/#charsets
> [2] http://xmpp.org/rfcs/rfc3920.html
> [3] http://tools.ietf.org/html/draft-ietf-xmpp-3920bis-12#section-11.3
>
> Report as inappropriate:
> http://www.tigase.org/mollom/report/session/100817f40ef0230e10
>
>
Artur
--
Artur Hefczyc
http://www.tigase.org/
http://artur.hefczyc.net/
More information about the security
mailing list