Summary XMPP doesn't verify 'from' on some iq replies
Date 2014-01-28
CVE Number CVE-2013-6483
Discovered By Fabian Yamaguchi and Christian Wressnegger of the University of Goettingen
Fixed In Release 2.10.8


The XMPP protocol plugin failed to ensure that iq replies came from the person they were sent to. A remote user could send a spoofed iq reply and attempt to guess the iq id. This could allow an attacker to inject fake data or trigger a null pointer dereference.


Keep track of the ‘to’ when sending an iq stanza and make sure replies for a given stanza ID come from the same address it was sent to.

Looking to reach us via XMPP? Check out the new PidginChat service!