[Cisco Jabber] XMPP Stanza Smuggling with stream:stream tag
Cisco’s Jabber, an XMPP client would treat the ending </stream:stream>
XML tag as a special case resetting the state of the XML parsing, which would allow any next tag to be treated as the root of the XML document and allow injecting of control stanzas.
While Jabber passing through arbitrary XML as part of a message onto the recipient may sound dangerous, it is an intended feature to allow plugins to implement their own handlers. Where things go wrong is that the Gloox library for processing XML was modified to cleanup the state of the parser whenever it parsed the a closing stream:stream
tag regardless of the context in-which is appears.
An attacker could inject a <stream:stream />
tag in their message, and then start providing a new XML stanze that can include control commands like pointing the recipient client to a new server, or adding contacts.