Unauthorized topic changes

Ethan Blanton elb at pidgin.im
Tue Jan 5 09:36:43 EST 2016


Thijs Alkemade spake unto us the following wisdom:
> Dave Cridland reported to me privately an issue they've been noticing with
> Pidgin and Openfire. Pidgin interprets every message in a MUC with a <subject>
> as a topic change, yet XEP-0045 §7.2.16 specifies that subjects MUST NOT
> contain a <body>. As some servers don't reject messages with both a <subject>
> and a <body>, those cause the appearance that unauthorized users can change
> the topic. It's a pretty minor issue security-wise, but I do think it should
> be treated as one.

This seems like a pretty straightforward fix that we should include in
2.11 when it ships (soon, right?).

Ethan


More information about the security mailing list