[ejabberd] Vulnerability in 2.0.4

Mickael Remond mickael.remond at process-one.net
Fri Mar 20 15:55:50 MSK 2009


Hello,

Peter Viskup wrote:

> FYI,
>
> I tested this patch from binary files on ejabberd 2.0.1-6 from
> repositories of GNU/Linux Debian Lenny and it works well!
> There is impact on every ejabberd servers (not only on servers with
> mod_muc_log). Users joining an attacked MUC can receive some SPAM
> messages depending on muc's history_size configuration parameter ->
> e.g. help at conference.jabber.sk.

I think vulnerability that was mentionned was the mod_muc_log problem.
What you are mentioning is different (Probably goes into the anti-abuse
category).
And keep in mind that the CAPTCHA patch on MUC is still experimental and
rely on users feedback for improvments :)

-- 
Mickaël Rémond
 http://www.process-one.net/


More information about the ejabberd mailing list