Home » Forums » ejabberd & XMPP » ejabberd Development

ejabberd_commands authentication bug

Submitted by lehrblogger on Tue, 2012-09-18 08:33

I think I've found an issue with the way users making ejabberdctl commands are authenticated by ejabberd_commands:check_auth.

I noticed this when making XMLRPC commands from my Python component using ejabberd_xmlrpc. When I modifed my ejabberd.cfg to use {auth_password_format, scram} and added an SSL certificate, my XMLRPC commands started to throw errors like this:

W(<0.2623.0>:ejabberd_xmlrpc:328) : Error -118
A problem '{error,invalid_account_data}' occurred executing the command user_sessions_info with arguments

I dug around a bit and found that ejabberd_commands.erl was comparing the provided password against both the user's password and the MD5 hash of that password, but did not use the ejabberd_auth:check_password method that's used elsewhere to properly handle the SCRAMed passwords.

Is there a security or other reason not to use the same authentication logic used elsewhere for authenticating XMLRPC commands? If not, the diff looks like this, and I can submit a pull request from my GitHub fork if you'd like.

‹ pass token for user Bug in ejabberdctl using different node names and different NIC IP address on the same box ›

Thanks, it's committed to

Submitted by mfoss on Mon, 2013-02-04 11:59.

Thanks, it's committed to ejabberd 2.1.x

»
Syndicate content

User login