Back to search
CVE-2016-0756
Published: Jan 29, 2016
Modified: Aug 5, 2024
PUBLISHED
Description
The generate_dialback function in the mod_dialback module in Prosody before 0.9.10 does not properly separate fields when generating dialback keys, which allows remote attackers to spoof XMPP network domains via a crafted stream id and domain name that is included in the target domain as a suffix.
| Vendor | Product | Versions |
|---|---|---|
n/a | n/a | affected n/a |
References
FEDORA-2016-e2c5111eda
vendor-advisory
x_refsource_FEDORA
82241
vdb-entry
x_refsource_BID
FEDORA-2016-5a5c85c5a8
vendor-advisory
x_refsource_FEDORA
https://prosody.im/issues/issue/596
x_refsource_CONFIRM
[oss-security] 20160127 CVE-2016-0756: Prosody XMPP server: insecure dialback key generation/validation algorithm
mailing-list
x_refsource_MLIST
http://blog.prosody.im/prosody-0-9-10-released/
x_refsource_CONFIRM
DSA-3463
vendor-advisory
x_refsource_DEBIAN
https://prosody.im/security/advisory_20160127/
x_refsource_CONFIRM
Security Training
Train your team to recognize and prevent security threats with our comprehensive security awareness program.
Start TrainingVulnerability Scanning
Discover vulnerabilities in your applications and infrastructure before attackers do.
Scan Now