lists.openwall.net | lists / announce owl-users owl-dev john-users john-dev passwdqc-users yescrypt popa3d-users / oss-security kernel-hardening musl sabotage tlsify passwords / crypt-dev xvendor / Bugtraq Full-Disclosure linux-kernel linux-netdev linux-ext4 linux-hardening linux-cve-announce PHC | |
Open Source and information security mailing list archives
| ||
|
Date: Wed, 2 Jul 2003 14:53:18 -0600 From: "Jamin W. Collins" <jcollins@...ardsrealm.net> To: jdev@...ber.org Cc: bugtraq@...urityfocus.com, jadmin@...ber.org Subject: Re: [SECURITY] Remote roster manipulation bug in various Jabber clients On Wed, Jul 02, 2003 at 10:05:11PM +0200, Jacek Konieczny wrote: > 3. Impact > > The attack cannot be done from Jabber client connection to jabberd > 1.4.x server because of similar bug (or feature) in this server - it > doesn't check "to" attribute and all such <iq/>s treats as directed to > the server. Attacker roster stored on server is modified instead of > victims ones. Wouldn't this still be a concern? The roster on the server would be modified and only corrected if the client exited properly, thus resyncing it's list to the server, right? -- Jamin W. Collins Remember, root always has a loaded gun. Don't run around with it unless you absolutely need it. -- Vineet Kumar
Powered by blists - more mailing lists