FreeBSD VuXML: Documenting security issues in FreeBSD and the FreeBSD Ports Collection

jabberd -- domain spoofing in server dialback protocol

Affected packages
jabberd < 2.2.16_2

Details

VuXML ID 4d1d2f6d-ec94-11e1-8bd8-0022156e8794
Discovery 2012-08-21
Entry 2012-08-23

XMPP Standards Foundation reports:

Some implementations of the XMPP Server Dialback protocol (RFC 3920/XEP-0220) have not been checking dialback responses to ensure that validated results are correlated with requests.

An attacking server could spoof one or more domains in communicating with a vulnerable server implementation, thereby avoiding the protections built into the Server Dialback protocol.

References

CVE Name CVE-2012-3525
URL http://xmpp.org/resources/security-notices/server-dialback/