[ejabberd] Vulnerability in 2.0.4

Peter Viskup skupko.sk at gmail.com
Fri Mar 20 02:58:09 MSK 2009


FYI,

I tested this patch from binary files on ejabberd 2.0.1-6 from repositories
of GNU/Linux Debian Lenny and it works well!
There is impact on every ejabberd servers (not only on servers with
mod_muc_log). Users joining an attacked MUC can receive some SPAM messages
depending on muc's history_size configuration parameter -> e.g.
help at conference.jabber.sk.

Regards,
Peter Viskup

On Thu, Mar 19, 2009 at 4:39 PM, Jeffrey Rogiers
<jeffrey.rogiers at gmail.com>wrote:

> Thank you for the clarification.
>
> Thanks,
> Jeffrey Rogiers
>
>
>
> On Thu, Mar 19, 2009 at 11:08 AM, Mickael Remond
> <mickael.remond at process-one.net> wrote:
> > Hello,
> >
> > To my knowledge they are reporting the fix we have put in 2.0.4.
> > If you do not use mod_muc_log, there is no risk.
> >
> > Jeffrey Rogiers wrote:
> >
> >> http://www.securityfocus.com/bid/34133
> >> http://secunia.com/advisories/34340/
> >>
> >> I've seen this reported in various places, but I haven't seen a patch
> >> anywhere. Has this been addressed?
> >>
> >> Thanks,
> >> Jeffrey Rogiers
> >> _______________________________________________
> >> ejabberd mailing list
> >> ejabberd at jabber.ru
> >> http://lists.jabber.ru/mailman/listinfo/ejabberd
> >
> > --
> > Mickaël Rémond
> >  http://www.process-one.net/
> > _______________________________________________
> > ejabberd mailing list
> > ejabberd at jabber.ru
> > http://lists.jabber.ru/mailman/listinfo/ejabberd
> >
> _______________________________________________
> ejabberd mailing list
> ejabberd at jabber.ru
> http://lists.jabber.ru/mailman/listinfo/ejabberd
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.jabber.ru/pipermail/ejabberd/attachments/20090320/8e6c240d/attachment.htm>


More information about the ejabberd mailing list