#1162 MUC: discloses list of members of members-only and password-protected rooms by default

Reporter Jonas Wielicki
Owner Zash
Stars ★ (1)
  • Status-Fixed
  • Milestone-0.10
  • Security
  • Type-Defect
  • Priority-Medium
  1. Jonas Wielicki on

    Type: Information Disclosure. What steps will reproduce the problem? 1. Create a room. 2. Set it to members only. 3. Use another JID to query disco#items of that room. What is the expected output? forbidden, not-authorized or another error. Unfortunately, XEP-0045 mandates to return an empty list instead (§6.5): > If the list of occupants is private, the room MUST return an empty <query/> element, in accordance with XEP-0030. What do you see instead? The list of nicknames currently joined into the room. What version of the product are you using? On what operating system? 0.9.x, 0.10.x, trunk. XEP-0045 also says: > An implementation MAY return a list of existing occupants if that information is publicly available, or return no list at all if this information is kept private. Implementations and deployments are advised to turn off such information sharing by default. So this is not strictly a violation of XEP-0045, but it isn’t great either.

  2. Jonas Wielicki on

    FWIW, I’m not sure a security issue for this is 100% warranted, but better safe than sorry.

  3. Zash on

    • tags Status-Accepted Milestone-0.10
  4. Zash on

    Fixed in https://hg.prosody.im/0.10/rev/c47f220580fd We're treating this as a low-impact security issue.

    • owner Zash
    • tags Hidden Status-Fixed Priority-Medium

New comment

Not published. Used for spam prevention and optional update notifications.