[ejabberd] Possible security issue with ejabberd 2.1.2 (format string attack) ?

SegFault segfaultmaker at gmail.com
Thu May 27 12:06:06 MSD 2010


Hi,

I'm not an expert, but I was running test with OpenVAS (nessus equivalent in
opensource) to test my server and here what he said under jabber-server
(5269/tcp) :
---
Reported by NVT "Generic format string" (1.3.6.1.4.1.25623.1.0.11133):


The remote service is vulnerable to a format string attack
An attacker may use this flaw to execute arbitrary code on this host.


Solution : upgrade your software or contact your vendor and inform it of
this
vulnerability
See also : http://www.securityfocus.com/archive/1/81565
Risk factor : High
---

Of course it seems to be a generic routine as he didn't identified ejabberd,
and of the course the link it give seems dead....
As the report is quite scary : execute arbitrary code, risk high ; I would
like to know if the flaw is confirmed, false positive, or unsure.
(If it's a false positive, It might be a good idea to warn OpenVAS people
about this with hope they can correct that).

Thanks,
Regards.
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.jabber.ru/pipermail/ejabberd/attachments/20100527/f8afd8bc/attachment.html>


More information about the ejabberd mailing list