You are here

U-246: Tigase XMPP Dialback Protection Bypass Vulnerability

August 28, 2012 - 7:00am

Addthis

PROBLEM:

Tigase XMPP Dialback Protection Bypass Vulnerability

PLATFORM:

Tigase 5.x

ABSTRACT:

A vulnerability has been reported in Tigase, which can be exploited by malicious people to bypass certain security restrictions.

reference LINKS:

XMPP Standards Foundation
Secunia Advisory SA50362
tigase.org
CVE-2012-4670

IMPACT ASSESSMENT:

Medium

Discussion:

The vulnerability is caused due to an error within the XMPP protocol implementation, which does not properly verify the "Verify Response" and "Authorization Response" messages. This can be exploited to spoof a domain and bypass the Dialback protection.

Impact:

An attacking server could spoof one or more domains in communicating with a vulnerable server implementation, thereby avoiding the protections built into the Server Dialback protocol.

Solution:

The vendor has issued a fix (Update to version 5.1.0).

Addthis