[ejabberd] Possible security issue with ejabberd 2.1.2 (format string attack) ?
sylvain.niles at gmail.com
Thu May 27 22:43:50 MSD 2010
One other thing to keep in mind is that even if the formatted string were to
somehow exploit a flaw in ejabberd it would execute arbitrary code in the
Erlang VM. I don't believe you can store something like mnesia:delete in the
XML CDATA and actually have it be executed since it's never evaluated by the
running function, it is merely passed around stored in a tuple. The worse
case I could imagine is if they negotiated a successful anonymous stream and
attempted to DOS the router or IQ handler but the shapers should take care
of that without breaking a sweat.
On Thu, May 27, 2010 at 10:58 AM, SegFault <segfaultmaker at gmail.com> wrote:
> Thanks for your answer.
> I enabled all openvas component, but they are updated using command
> nvt-sync", I have about 17200 component. Don't know if difference can come
> Le jeudi 27 mai 2010 13:29:34, Badlop a écrit :
> > > 2010/5/27 SegFault <segfaultmaker at gmail.com>:
> > >> I'm not an expert, but I was running test with OpenVAS (nessus
> > >> equivalent in opensource) to test my server and here what he said
> > >> jabber-server (5269/tcp) :
> > >> ---
> > >> Reported by NVT "Generic format string" (188.8.131.52.4.1.256184.108.40.20633):
> > Oh, I forgot an important sentence in my email:
> > 2010/5/27 Badlop <badlop at gmail.com>:
> > > Regarding ejabberd, I installed and tested:
> > > ejabberd 2.1.x, 2.1.3, 2.1.2, 2.1.1, 2.1.0
> > >
> > > During the tests, ejabberd got connections to the listened ports.
> > + "and finally OpenVAS didn't provide any warnings under the 5222,
> > 5269, ... ports, with any ejabberd version."
> > > I had all OpenVAS components enabled, 12157 in total.
> > >
> > > So, I coundn't reproduce what you say.
> > ---
> > Badlop
> > ProcessOne
> > _______________________________________________
> > ejabberd mailing list
> > ejabberd at jabber.ru
> > http://lists.jabber.ru/mailman/listinfo/ejabberd
> ejabberd mailing list
> ejabberd at jabber.ru
-------------- next part --------------
An HTML attachment was scrubbed...
More information about the ejabberd