Critical bug in Spark

Spark uses Smack so this bug affects Spark : http://www.igniterealtime.org/community/message/172715#172715

Anyone can kick someone simply by sending a message. (Either a chat message or a multiuserchat message.)

Well. There is no easy way to send that message for a common user. So it’s not as critical as it seems. Moreover it’s a bug in Smack, so it cant be fixed in Spark before Smack is fixed. That bug isnt yet filed in JIRA for Smack, so i cant connect new JIRA ticket for Spark with that issue. We should wait until this is filed by developers for Smack.

You must be kidding, open gajim or psi :

Open the XML console (right click on the account on psi, Advanced menu on gajim). Send this :

<message to="victim@hisserver.fr/spark" type=“chat” id=“1345”>

<body>plop</body>

<x xmlns=“jabber:x:delay” stamp=“200868T09:16:20” from="mylogin@monserver.fr"/>

<thread>9gOp44</thread>

</message>

And that’s it.

It’s really really easy ! And I’ve found this bug because my bot crashed several times, I’m wondering if psi doesn’t send this kind of packet itself…

I meant, that there is no “Kick that user” button in clients. Advanced user can use that, of course. Anyway, as long as this is not addressed and fixed in Smack, there is nothing we can do about Spark.

I agree with your last sentence. The last version of Smack seems a little old. Is it still developed ?

Yes, it is developed. If you look at a roadmap http://www.igniterealtime.org/issues/browse/SMACK?report=com.atlassian.jira.plug in.system.project:roadmap-panel

some issues were fixed few weeks ago