search

SymbiSoft / m-im

Automatically exported from code.google.com/p/m-im
0 stars 0 forks source link

PLAIN authentication is sent to servers not supporting it #8

Open GoogleCodeExporter opened 8 years ago

GoogleCodeExporter commented 8 years ago 
PLAIN authentication is sent to servers even if servers does not support
it. This can potentially send a password in plaintext which might
potentially leak it to a third party.

In XMPP.java
        try {
            if (reader.supportGoogleToken) {
                writer.writeSASL("X-GOOGLE-TOKEN", generateTokenViaGoogle());
                reader.requireSuccess();
            } else {
                writer.writeSASL("PLAIN", generatePlanAuthData());
                reader.requireSuccess();
            }
Should be
            if (reader.supportGoogleToken) {
                writer.writeSASL("X-GOOGLE-TOKEN", generateTokenViaGoogle());
                reader.requireSuccess();
            } else if (reader.supportPlain) {
                writer.writeSASL("PLAIN", generatePlanAuthData());
                reader.requireSuccess();
            } else {
                throw new RuntimeException("No supported authentication
method");
            }

Diff attached

Original issue reported on code.google.com by Gert...@gmail.com on 24 Apr 2010 at 8:02

Attachments:

GoogleCodeExporter commented 8 years ago 
If more authentication methods is added, they should be tried in order of 
reducing
security.

Original comment by Gert...@gmail.com on 24 Apr 2010 at 8:32

GoogleCodeExporter commented 8 years ago 
Probably should be changed as recommended by Gert - suggest doing as part of 
MD5-DIGEST auth impl since it will be changing the same method of code.

Original comment by markmcna...@gmail.com on 1 Sep 2010 at 11:43