Follow @Openwall on Twitter for new release announcements and other news
[<prev] [next>] [day] [month] [year] [list]
Date: Thu, 31 May 2018 19:31:02 +0100
From: Matthew Wild <>
Subject: [CVE-2018-10847] prosody: insufficient stream header validation

Prosody security advisory 2018-05-31


:   Prosody XMPP server


:   CVE-2018-10847

:   2018-05-31

Affected versions
:   0.9.x prior to 0.9.14, 0.10.x prior to 0.10.2. All prior series affected.

Fixed versions
:   0.9.14, 0.10.2


Due to insufficient validation of client-provided parameters during XMPP
stream restarts, authenticated users may override the realm associated
with their session, potentially bypassing security policies and allowing


Prosody did not verify that the virtual host associated with a user
session remained the same across stream restarts.

In practice this means that a user may authenticate to XMPP host A
and migrate their authenticated session to XMPP host B of the same
Prosody instance.

Note that successful authentication to host A is required to initiate
the attack. This includes SASL ANONYMOUS.

Overriding the authenticated username is not possible via this exploit,
and this limits impersonation to usernames on host B that the attacker
also has access to on host A. In the case of ANONYMOUS authentication,
the username is random and enforced by the server.

If a user has the account user1@...ta.example, they may impersonate
user1@...tb.example, with security policies of host B applied.

Affected configurations

Prosody deployments configured with multiple virtual hosts are

Standard TCP connections and websocket connections are affected,
but BOSH connections are not affected - i.e. deployments where
the only access to Prosody is via BOSH are not vulnerable.

Temporary mitigation

Patch available.

-  stable 0.10 branch:
- old stable 0.9 branc:


All users should upgrade to at least 0.9.14, 0.10.2 or check their OS
distribution for security updates. Users of development branches (0.10,
trunk) should upgrade to the latest nightly builds.


Reported by Princess Pepperoni from



Powered by blists - more mailing lists

Please check out the Open Source Software Security Wiki, which is counterpart to this mailing list.

Confused about mailing lists and their use? Read about mailing lists on Wikipedia and check out these guidelines on proper formatting of your messages.