You signed in with another tab or window. Reload to refresh your session.You signed out in another tab or window. Reload to refresh your session.You switched accounts on another tab or window. Reload to refresh your session.Dismiss alert
The built-in ident server responds to requests from any ip, which can let arbitrary parties enumerate mxid's that are connected through a specific bridge. RFC1413 explicitly states that 'a user on address A may only query the server on address B about connections between A and B'.
Also, in the current (barebones) implementation, IRC clients are solely keyed by their source TCP port number, which isn't guaranteed to be unique; only the full tuple of (source ip, source port, target ip, target port) is. This is increasingly more likely to overlap when using individual v6 addresses for clients or connecting to different networks, as technically every single one of those could be using the same source port..
The built-in ident server responds to requests from any ip, which can let arbitrary parties enumerate mxid's that are connected through a specific bridge. RFC1413 explicitly states that 'a user on address A may only query the server on address B about connections between A and B'.
Also, in the current (barebones) implementation, IRC clients are solely keyed by their source TCP port number, which isn't guaranteed to be unique; only the full tuple of
(source ip, source port, target ip, target port)is. This is increasingly more likely to overlap when using individual v6 addresses for clients or connecting to different networks, as technically every single one of those could be using the same source port..Originally reported to [email protected]
The text was updated successfully, but these errors were encountered: