Fwd: [Support request] Tigase XMPP server should not pass through non-well-formed XML

Mark Doliner mark at kingant.net
Tue Aug 17 19:21:48 EDT 2010

---------- Forwarded message ----------
From: Artur Hefczyc <artur.hefczyc at tigase.org>
Date: Tue, Aug 17, 2010 at 3:59 PM
Subject: Re: [Support request] Tigase XMPP server should not pass
through non-well-formed XML
To: mark at kingant.net

Hi Mark,

Thank you for your message and letting me know about the problem.
I will look at it at the earliest possible time.
By the way is really the 0x0b character an invalid XML character?


On Aug 17, 2010, at 2:25 PM, Tigase.org Support wrote:

> Mark Doliner sent a message using the contact form at
> http://www.tigase.org/contact.
> Hi!  As far as I've been able to tell, XMPP servers should disconnect clients
> that send illegal XML characters[1].  And more importantly, XMPP servers
> should NOT pass through illegal XML characters.
> The original RFC3920[2] is a little vague on this issue (search for
> "well-formed"), but Peter Saint-Andre's current draft revision[3] is fairly
> clear:
> "An XMPP entity MUST NOT accept data that is not XML-well-formed; instead it
> MUST return an <xml-not-well-formed/> stream error and close the stream over
> which the data was received."
> I'm able to reproduce this bug using Pidgin 2.7.3 in Linux.
> 1. Start two instances of Pidgin (if you're using a single computer then you
> will probably need to use the --multiple flag)
> 2. In each instance, login to a separate account on a single Tigase server (I
> used tigase.im)
> 3. In one of the instances, set your status to "away" and type the message
> "test" then <ctrl>+<shift>+u then 013 then space.  This will insert the ASCII
> character 013 aka 0x0b aka vertical tab
> 4. The other instance will be disconnected
> Background: I'm a developer on the Pidgin IM client.  We had a bug reported
> to us that Pidgin clients disconnect if someone in your buddy list inserts an
> illegal XML character into their status message.  I believe Pidgin's behavior
> is correct, according to the XMPP standards.  This effectively allows clients
> connected to a Tigase server to perform denial of service attacks against
> each other, which is why I believe this is somewhat of a security issue.
> If you have any questions, or disagree with my conclusions, or if there is a
> better place for me to report this, please let me know and we can discuss
> further.
> Thanks,
> Mark
> [1] http://www.w3.org/TR/2008/REC-xml-20081126/#charsets
> [2] http://xmpp.org/rfcs/rfc3920.html
> [3] http://tools.ietf.org/html/draft-ietf-xmpp-3920bis-12#section-11.3
> Report as inappropriate:
> http://www.tigase.org/mollom/report/session/100817f40ef0230e10

Artur Hefczyc

More information about the security mailing list