#563 Automatic MUC kicks on stream errors can reveal domains in semi-anonymous rooms
Reporter
xnyhps
Owner
MattJ
Created
Updated
Stars
★★ (3)
Tags
Status-Fixed
Milestone-0.11
Priority-High
Type-Defect
MUC
Security
xnyhps
on
When a stream error is returned when trying to route a stanza to a MUC participant, the text of the stream error is copied literally to the MUC as the reason for the kick:
https://hg.prosody.im/0.9/file/5a60b4705bc3/plugins/muc/muc.lib.lua#l252
However, the stream error can contain the domain. For example, Prosody itself will include the domain when closing a stream with host-unknown:
https://hg.prosody.im/0.9/file/5a60b4705bc3/plugins/mod_s2s/mod_s2s.lua#l324
This leads to error messages such as:
User has left the chatroom (Kicked: remote server not found: Server-to-server connection failed: host-unknown (This host does not serve example.com))
This is a leak if the room is semi-anonymous.
Zash
on
Un-hiding because we don't think this is exploitable.
Changes
tag-Hidden
tagMUC
tagStatus-Accepted
xnyhps
on
The s2s_secure_auth setting creates the same problem as host-unknown:
User has left the chatroom (Kicked: remote server not found: Server-to-server connection failed: not-authorized (Your server's certificate is invalid, expired, or not trusted by example.com))
Zash
on
Typo :)
Changes
titleAutmatic MUC kicks on stream errors can reveal domains in semi-anonymous rooms Automatic MUC kicks on stream errors can reveal domains in semi-anonymous rooms
MattJ
on
Changes
tags Milestone-0.11
MattJ
on
Proposed patch:
diff -r 4aa786a180f5 plugins/muc/muc.lib.lua
--- a/plugins/muc/muc.lib.lua Mon Aug 06 15:26:33 2018 +0100
+++ b/plugins/muc/muc.lib.lua Tue Aug 07 12:39:09 2018 +0100
@@ -361,8 +361,8 @@
local occupant = self:get_occupant_by_real_jid(real_jid);
if occupant == nil then return nil; end
local type, condition, text = stanza:get_error();
- local error_message = "Kicked: "..(condition and condition:gsub("%-", " ") or "presence error");
- if text then
+ local error_message = "Error: "..(condition and condition:gsub("%-", " ") or "presence error");
+ if text and room:get_whois() == "anyone" then
error_message = error_message..": "..text;
end
occupant:set_session(real_jid, st.presence({type="unavailable"})
When a stream error is returned when trying to route a stanza to a MUC participant, the text of the stream error is copied literally to the MUC as the reason for the kick: https://hg.prosody.im/0.9/file/5a60b4705bc3/plugins/muc/muc.lib.lua#l252 However, the stream error can contain the domain. For example, Prosody itself will include the domain when closing a stream with host-unknown: https://hg.prosody.im/0.9/file/5a60b4705bc3/plugins/mod_s2s/mod_s2s.lua#l324 This leads to error messages such as: User has left the chatroom (Kicked: remote server not found: Server-to-server connection failed: host-unknown (This host does not serve example.com)) This is a leak if the room is semi-anonymous.
Un-hiding because we don't think this is exploitable.
ChangesThe s2s_secure_auth setting creates the same problem as host-unknown: User has left the chatroom (Kicked: remote server not found: Server-to-server connection failed: not-authorized (Your server's certificate is invalid, expired, or not trusted by example.com))
Typo :)
ChangesAutmatic MUC kicks on stream errors can reveal domains in semi-anonymous roomsAutomatic MUC kicks on stream errors can reveal domains in semi-anonymous roomsProposed patch: diff -r 4aa786a180f5 plugins/muc/muc.lib.lua --- a/plugins/muc/muc.lib.lua Mon Aug 06 15:26:33 2018 +0100 +++ b/plugins/muc/muc.lib.lua Tue Aug 07 12:39:09 2018 +0100 @@ -361,8 +361,8 @@ local occupant = self:get_occupant_by_real_jid(real_jid); if occupant == nil then return nil; end local type, condition, text = stanza:get_error(); - local error_message = "Kicked: "..(condition and condition:gsub("%-", " ") or "presence error"); - if text then + local error_message = "Error: "..(condition and condition:gsub("%-", " ") or "presence error"); + if text and room:get_whois() == "anyone" then error_message = error_message..": "..text; end occupant:set_session(real_jid, st.presence({type="unavailable"})
Fixed in 51c5dd7a8ab9
Changes