Moderate severityNVD Advisory· Published Feb 18, 2012· Updated Apr 29, 2026
CVE-2011-4320
CVE-2011-4320
Description
The mod_pubsub module (mod_pubsub.erl) in ejabberd 2.1.8 and 3.0.0-alpha-3 allows remote authenticated users to cause a denial of service (infinite loop) via a stanza with a publish tag that lacks a node attribute.
Affected packages
Versions sourced from the GitHub Security Advisory.
| Package | Affected versions | Patched versions |
|---|---|---|
ejabberdHex | < 2.1.9 | 2.1.9 |
ejabberdHex | >= 3.0.0-alpha-1, < 3.0.0-alpha-4 | 3.0.0-alpha-4 |
Affected products
2cpe:2.3:a:process-one:ejabberd:2.1.8:*:*:*:*:*:*:*+ 1 more
- cpe:2.3:a:process-one:ejabberd:2.1.8:*:*:*:*:*:*:*
- cpe:2.3:a:process-one:ejabberd:3.0.0:alpha3:*:*:*:*:*:*
Patches
2d3c4eab46f3cFix Denial of Service when user sends malformed publish stanza (thanks to Oleg Smirnov) (EJAB-1498)
3 files changed · +39 −33
src/mod_pubsub/mod_pubsub.erl+5 −2 modified@@ -2509,8 +2509,11 @@ publish_item(Host, ServerHost, Node, Publisher, ItemId, Payload) -> case lists:member("auto-create", features(Type)) of true -> case create_node(Host, ServerHost, Node, Publisher, Type) of - {result, _} -> - publish_item(Host, ServerHost, Node, Publisher, ItemId, Payload); + {result, Reply2} -> + NewNode = exmpp_xml:get_path(Reply2, [{element, 'create'}, + {attribute, <<"node">>}]), + publish_item(Host, ServerHost, NewNode, Publisher, ItemId, + Payload); _ -> {error, 'item-not-found'} end;
src/mod_pubsub/mod_pubsub_odbc.erl+5 −2 modified@@ -2301,8 +2301,11 @@ publish_item(Host, ServerHost, Node, Publisher, ItemId, Payload) -> case lists:member("auto-create", features(Type)) of true -> case create_node(Host, ServerHost, Node, Publisher, Type) of - {result, _} -> - publish_item(Host, ServerHost, Node, Publisher, ItemId, Payload); + {result, Reply2} -> + NewNode = exmpp_xml:get_path(Reply2, [{element, 'create'}, + {attribute, <<"node">>}]), + publish_item(Host, ServerHost, NewNode, Publisher, ItemId, + Payload); _ -> {error, 'item-not-found'} end;
src/mod_pubsub/pubsub_odbc.patch+29 −29 modified@@ -1,5 +1,5 @@ ---- mod_pubsub.erl 2011-08-31 16:42:23.000000000 +0200 -+++ mod_pubsub_odbc.erl 2011-08-31 16:42:23.000000000 +0200 +--- mod_pubsub.erl 2011-09-21 14:40:16.000000000 +0200 ++++ mod_pubsub_odbc.erl 2011-09-21 14:40:29.000000000 +0200 @@ -42,7 +42,7 @@ %%% 6.2.3.1, 6.2.3.5, and 6.3. For information on subscription leases see %%% XEP-0060 section 12.18. @@ -621,7 +621,7 @@ {PayloadCount, PayloadNS} = payload_els_ns(Payload), PayloadSize = size(term_to_binary(Payload))-2, % size(term_to_binary([])) == 2 PayloadMaxSize = get_option(Options, max_payload_size), -@@ -2642,7 +2434,7 @@ +@@ -2645,7 +2437,7 @@ %% <p>The permission are not checked in this function.</p> %% @todo We probably need to check that the user doing the query has the right %% to read the items. @@ -630,7 +630,7 @@ MaxItems = if SMaxItems == "" -> get_max_items_node(Host); -@@ -2656,12 +2448,13 @@ +@@ -2659,12 +2451,13 @@ {error, Error} -> {error, Error}; _ -> @@ -645,7 +645,7 @@ {PresenceSubscription, RosterGroup} = get_presence_and_roster_permissions(Host, From, Owners, AccessModel, AllowedGroups), if not RetreiveFeature -> -@@ -2674,11 +2467,11 @@ +@@ -2677,11 +2470,11 @@ node_call(Type, get_items, [Nidx, From, AccessModel, PresenceSubscription, RosterGroup, @@ -659,7 +659,7 @@ SendItems = case ItemIds of [] -> Items; -@@ -2691,7 +2484,7 @@ +@@ -2694,7 +2487,7 @@ %% number of items sent to MaxItems: {result, #xmlel{ns = ?NS_PUBSUB, name = 'pubsub', children = [#xmlel{ns = ?NS_PUBSUB, name = 'items', attrs = nodeAttr(Node), children = @@ -668,7 +668,7 @@ Error -> Error end -@@ -2707,8 +2500,8 @@ +@@ -2710,8 +2503,8 @@ ). get_items(Host, NodeId) -> @@ -679,7 +679,7 @@ end, case transaction(Host, NodeId, Action, sync_dirty) of {result, {_, Items}} -> Items -@@ -2725,13 +2518,24 @@ +@@ -2728,13 +2521,24 @@ ). get_item(Host, NodeId, ItemId) -> @@ -706,7 +706,7 @@ %% @spec (Host, Node, NodeId, Type, LJID, Number) -> any() %% Host = pubsubHost() -@@ -2742,32 +2546,32 @@ +@@ -2745,32 +2549,32 @@ %% Number = last | integer() %% @doc <p>Resend the items of a node to the user.</p> %% @todo use cache-last-item feature @@ -761,7 +761,7 @@ {result, []} -> []; {result, Items} -> -@@ -2789,20 +2593,7 @@ +@@ -2792,20 +2596,7 @@ [#xmlel{ns = ?NS_PUBSUB_EVENT, name = 'items', attrs = nodeAttr(Node), children = itemsEls(ToSend)}]) end, @@ -783,7 +783,7 @@ %% @spec (Host, JID, Plugins) -> {error, Reason} | {result, Response} %% Host = host() -@@ -2905,7 +2696,8 @@ +@@ -2908,7 +2699,8 @@ error -> {error, 'bad-request'}; _ -> @@ -793,7 +793,7 @@ case lists:member(Owner, Owners) of true -> OwnerJID = exmpp_jid:make(Owner), -@@ -2915,24 +2707,8 @@ +@@ -2918,24 +2710,8 @@ end, lists:foreach( fun({JID, Affiliation}) -> @@ -820,7 +820,7 @@ end, FilteredEntities), {result, []}; _ -> -@@ -2961,7 +2737,7 @@ +@@ -2964,7 +2740,7 @@ Error -> Error end. @@ -829,7 +829,7 @@ Subscriber = try exmpp_jid:parse(JID) of J -> jlib:short_jid(J) catch -@@ -2969,7 +2745,7 @@ +@@ -2972,7 +2748,7 @@ exmpp_jid:make("", "", "") %% TODO, check if use <<>> instead of "" end, {result, Subs} = node_call(Type, get_subscriptions, @@ -838,7 +838,7 @@ SubIds = lists:foldl(fun({subscribed, SID}, Acc) -> [SID | Acc]; (_, Acc) -> -@@ -2979,17 +2755,17 @@ +@@ -2982,17 +2758,17 @@ {_, []} -> {error, extended_error('not-acceptable', "not-subscribed")}; {[], [SID]} -> @@ -861,7 +861,7 @@ OptionsEl = #xmlel{ns = ?NS_PUBSUB, name = 'options', attrs = [ ?XMLATTR(<<"jid">>, exmpp_jid:to_binary(Subscriber)), ?XMLATTR(<<"subid">>, SubId) | nodeAttr(Node)], -@@ -3021,8 +2797,8 @@ +@@ -3024,8 +2800,8 @@ Error -> Error end. @@ -872,7 +872,7 @@ {result, GoodSubOpts} -> GoodSubOpts; _ -> invalid end, -@@ -3032,7 +2808,7 @@ +@@ -3035,7 +2811,7 @@ _ -> exmpp_jid:make("", "", "") %% TODO, check if use <<>> instead of "" end, {result, Subs} = node_call(Type, get_subscriptions, @@ -881,7 +881,7 @@ SubIds = lists:foldl(fun({subscribed, SID}, Acc) -> [SID | Acc]; (_, Acc) -> -@@ -3042,19 +2818,19 @@ +@@ -3045,19 +2821,19 @@ {_, []} -> {error, extended_error('not-acceptable', "not-subscribed")}; {[], [SID]} -> @@ -907,7 +907,7 @@ {result, _} -> {result, []}; {error, _} -> -@@ -3228,8 +3004,8 @@ +@@ -3231,8 +3007,8 @@ ?XMLATTR(<<"subsription">>, subscription_to_string(Sub)) | nodeAttr(Node)]}]}]}, ejabberd_router:route(service_jid(Host), JID, Stanza) end, @@ -918,7 +918,7 @@ true -> Result = lists:foldl(fun({JID, Subscription, SubId}, Acc) -> -@@ -3583,7 +3359,7 @@ +@@ -3586,7 +3362,7 @@ Collection = tree_call(Host, get_parentnodes_tree, [Host, Node, service_jid(Host)]), {result, [{Depth, [{N, sub_with_options(N)} || N <- Nodes]} || {Depth, Nodes} <- Collection]} end, @@ -927,7 +927,7 @@ {result, CollSubs} -> subscribed_nodes_by_jid(NotifyType, CollSubs); _ -> [] end. -@@ -3641,19 +3417,19 @@ +@@ -3644,19 +3420,19 @@ {_, JIDSubs} = lists:foldl(DepthsToDeliver, {[], []}, SubsByDepth), JIDSubs. @@ -953,7 +953,7 @@ _ -> {JID, SubId, []} end. -@@ -3765,6 +3541,30 @@ +@@ -3768,6 +3544,30 @@ Result end. @@ -984,7 +984,7 @@ %% @spec (Host, Options) -> MaxItems %% Host = host() %% Options = [Option] -@@ -4288,9 +4088,14 @@ +@@ -4291,9 +4091,14 @@ tree_action(Host, Function, Args) -> ?DEBUG("tree_action ~p ~p ~p",[Host,Function,Args]), @@ -1002,7 +1002,7 @@ %% @doc <p>node plugin call.</p> -spec(node_call/3 :: -@@ -4328,7 +4133,7 @@ +@@ -4331,7 +4136,7 @@ node_action(Host, Type, Function, Args) -> ?DEBUG("node_action ~p ~p ~p ~p",[Host,Type,Function,Args]), @@ -1011,7 +1011,7 @@ node_call(Type, Function, Args) end, sync_dirty). -@@ -4343,7 +4148,7 @@ +@@ -4346,7 +4151,7 @@ ). transaction(Host, NodeId, Action, Trans) -> @@ -1020,7 +1020,7 @@ case tree_call(Host, get_node, [Host, NodeId]) of #pubsub_node{} = Node -> case Action(Node) of -@@ -4357,7 +4162,7 @@ +@@ -4360,7 +4165,7 @@ end, Trans). @@ -1029,7 +1029,7 @@ ( Host :: string() | host(), Action :: fun(), -@@ -4365,21 +4170,28 @@ +@@ -4368,21 +4173,28 @@ -> {'result', Nodes :: [] | [Node::pubsubNode()]} ). @@ -1063,7 +1063,7 @@ {result, Result} -> {result, Result}; {error, Error} -> {error, Error}; {atomic, {result, Result}} -> {result, Result}; -@@ -4387,6 +4199,15 @@ +@@ -4390,6 +4202,15 @@ {aborted, Reason} -> ?ERROR_MSG("transaction return internal error: ~p~n", [{aborted, Reason}]), {error, 'internal-server-error'}; @@ -1079,7 +1079,7 @@ {'EXIT', Reason} -> ?ERROR_MSG("transaction return internal error: ~p~n", [{'EXIT', Reason}]), {error, 'internal-server-error'}; -@@ -4395,6 +4216,16 @@ +@@ -4398,6 +4219,16 @@ {error, 'internal-server-error'} end.
d5b4d6785879Fix Denial of Service when user sends malformed publish stanza (thanks to Oleg Smirnov) (EJAB-1498)
3 files changed · +31 −27
src/mod_pubsub/mod_pubsub.erl+4 −2 modified@@ -2108,8 +2108,10 @@ publish_item(Host, ServerHost, Node, Publisher, ItemId, Payload) -> case lists:member("auto-create", features(Type)) of true -> case create_node(Host, ServerHost, Node, Publisher, Type) of - {result, _} -> - publish_item(Host, ServerHost, Node, Publisher, ItemId, Payload); + {result, [{xmlelement, "pubsub", [{"xmlns", ?NS_PUBSUB}], + [{xmlelement, "create", [{"node", NewNode}], []}]}]} -> + publish_item(Host, ServerHost, list_to_binary(NewNode), + Publisher, ItemId, Payload); _ -> {error, ?ERR_ITEM_NOT_FOUND} end;
src/mod_pubsub/mod_pubsub_odbc.erl+4 −2 modified@@ -1921,8 +1921,10 @@ publish_item(Host, ServerHost, Node, Publisher, ItemId, Payload) -> case lists:member("auto-create", features(Type)) of true -> case create_node(Host, ServerHost, Node, Publisher, Type) of - {result, _} -> - publish_item(Host, ServerHost, Node, Publisher, ItemId, Payload); + {result, [{xmlelement, "pubsub", [{"xmlns", ?NS_PUBSUB}], + [{xmlelement, "create", [{"node", NewNode}], []}]}]} -> + publish_item(Host, ServerHost, list_to_binary(NewNode), + Publisher, ItemId, Payload); _ -> {error, ?ERR_ITEM_NOT_FOUND} end;
src/mod_pubsub/pubsub_odbc.patch+23 −23 modified@@ -1,5 +1,5 @@ ---- mod_pubsub.erl 2011-08-31 16:08:42.000000000 +0200 -+++ mod_pubsub_odbc.erl 2011-08-31 16:08:42.000000000 +0200 +--- mod_pubsub.erl 2011-09-21 14:37:16.000000000 +0200 ++++ mod_pubsub_odbc.erl 2011-09-21 14:37:36.000000000 +0200 @@ -42,7 +42,7 @@ %%% 6.2.3.1, 6.2.3.5, and 6.3. For information on subscription leases see %%% XEP-0060 section 12.18. @@ -554,7 +554,7 @@ case Result of default -> {result, Reply}; _ -> {result, Result} -@@ -2241,7 +2054,7 @@ +@@ -2243,7 +2056,7 @@ %% <p>The permission are not checked in this function.</p> %% @todo We probably need to check that the user doing the query has the right %% to read the items. @@ -563,7 +563,7 @@ MaxItems = if SMaxItems == "" -> get_max_items_node(Host); -@@ -2255,12 +2068,13 @@ +@@ -2257,12 +2070,13 @@ {error, Error} -> {error, Error}; _ -> @@ -578,7 +578,7 @@ {PresenceSubscription, RosterGroup} = get_presence_and_roster_permissions(Host, From, Owners, AccessModel, AllowedGroups), if not RetreiveFeature -> -@@ -2273,11 +2087,11 @@ +@@ -2275,11 +2089,11 @@ node_call(Type, get_items, [NodeId, From, AccessModel, PresenceSubscription, RosterGroup, @@ -592,7 +592,7 @@ SendItems = case ItemIDs of [] -> Items; -@@ -2290,7 +2104,8 @@ +@@ -2292,7 +2106,8 @@ %% number of items sent to MaxItems: {result, [{xmlelement, "pubsub", [{"xmlns", ?NS_PUBSUB}], [{xmlelement, "items", nodeAttr(Node), @@ -602,7 +602,7 @@ Error -> Error end -@@ -2312,10 +2127,15 @@ +@@ -2314,10 +2129,15 @@ Error -> Error end. get_allowed_items_call(Host, NodeIdx, From, Type, Options, Owners) -> @@ -619,7 +619,7 @@ %% @spec (Host, Node, NodeId, Type, LJID, Number) -> any() -@@ -2327,31 +2147,29 @@ +@@ -2329,31 +2149,29 @@ %% Number = last | integer() %% @doc <p>Resend the items of a node to the user.</p> %% @todo use cache-last-item feature @@ -670,7 +670,7 @@ ToSend = case node_action(Host, Type, get_items, [NodeId, LJID]) of {result, []} -> []; -@@ -2374,20 +2192,7 @@ +@@ -2376,20 +2194,7 @@ [{xmlelement, "items", nodeAttr(Node), itemsEls(ToSend)}]) end, @@ -692,7 +692,7 @@ %% @spec (Host, JID, Plugins) -> {error, Reason} | {result, Response} %% Host = host() -@@ -2489,7 +2294,8 @@ +@@ -2491,7 +2296,8 @@ error -> {error, ?ERR_BAD_REQUEST}; _ -> @@ -702,7 +702,7 @@ case lists:member(Owner, Owners) of true -> OwnerJID = jlib:make_jid(Owner), -@@ -2499,24 +2305,7 @@ +@@ -2501,24 +2307,7 @@ end, lists:foreach( fun({JID, Affiliation}) -> @@ -728,7 +728,7 @@ end, FilteredEntities), {result, []}; _ -> -@@ -2569,11 +2358,11 @@ +@@ -2571,11 +2360,11 @@ end. read_sub(Subscriber, Node, NodeID, SubID, Lang) -> @@ -742,7 +742,7 @@ OptionsEl = {xmlelement, "options", [{"jid", jlib:jid_to_string(Subscriber)}, {"subid", SubID}|nodeAttr(Node)], [XdataEl]}, -@@ -2599,7 +2388,7 @@ +@@ -2601,7 +2390,7 @@ end. set_options_helper(Configuration, JID, NodeID, SubID, Type) -> @@ -751,7 +751,7 @@ {result, GoodSubOpts} -> GoodSubOpts; _ -> invalid end, -@@ -2628,7 +2417,7 @@ +@@ -2630,7 +2419,7 @@ write_sub(_Subscriber, _NodeID, _SubID, invalid) -> {error, extended_error(?ERR_BAD_REQUEST, "invalid-options")}; write_sub(Subscriber, NodeID, SubID, Options) -> @@ -760,7 +760,7 @@ {error, notfound} -> {error, extended_error(?ERR_NOT_ACCEPTABLE, "invalid-subid")}; {result, _} -> -@@ -2796,8 +2585,8 @@ +@@ -2798,8 +2587,8 @@ {"subscription", subscription_to_string(Sub)} | nodeAttr(Node)], []}]}]}, ejabberd_router:route(service_jid(Host), jlib:make_jid(JID), Stanza) end, @@ -771,7 +771,7 @@ true -> Result = lists:foldl(fun({JID, Subscription, SubId}, Acc) -> -@@ -3152,7 +2941,7 @@ +@@ -3154,7 +2943,7 @@ {Depth, [{N, get_node_subs(N)} || N <- Nodes]} end, tree_call(Host, get_parentnodes_tree, [Host, Node, service_jid(Host)]))} end, @@ -780,7 +780,7 @@ {result, CollSubs} -> CollSubs; _ -> [] end. -@@ -3166,9 +2955,9 @@ +@@ -3168,9 +2957,9 @@ get_options_for_subs(NodeID, Subs) -> lists:foldl(fun({JID, subscribed, SubID}, Acc) -> @@ -792,7 +792,7 @@ _ -> Acc end; (_, Acc) -> -@@ -3357,6 +3146,30 @@ +@@ -3359,6 +3148,30 @@ Result end. @@ -823,7 +823,7 @@ %% @spec (Host, Options) -> MaxItems %% Host = host() %% Options = [Option] -@@ -3753,7 +3566,13 @@ +@@ -3755,7 +3568,13 @@ tree_action(Host, Function, Args) -> ?DEBUG("tree_action ~p ~p ~p",[Host,Function,Args]), Fun = fun() -> tree_call(Host, Function, Args) end, @@ -838,7 +838,7 @@ %% @doc <p>node plugin call.</p> node_call(Type, Function, Args) -> -@@ -3773,13 +3592,13 @@ +@@ -3775,13 +3594,13 @@ node_action(Host, Type, Function, Args) -> ?DEBUG("node_action ~p ~p ~p ~p",[Host,Type,Function,Args]), @@ -854,7 +854,7 @@ case tree_call(Host, get_node, [Host, Node]) of N when is_record(N, pubsub_node) -> case Action(N) of -@@ -3791,13 +3610,19 @@ +@@ -3793,13 +3612,19 @@ Error end end, Trans). @@ -878,7 +878,7 @@ {result, Result} -> {result, Result}; {error, Error} -> {error, Error}; {atomic, {result, Result}} -> {result, Result}; -@@ -3805,6 +3630,15 @@ +@@ -3807,6 +3632,15 @@ {aborted, Reason} -> ?ERROR_MSG("transaction return internal error: ~p~n", [{aborted, Reason}]), {error, ?ERR_INTERNAL_SERVER_ERROR}; @@ -894,7 +894,7 @@ {'EXIT', Reason} -> ?ERROR_MSG("transaction return internal error: ~p~n", [{'EXIT', Reason}]), {error, ?ERR_INTERNAL_SERVER_ERROR}; -@@ -3813,6 +3647,17 @@ +@@ -3815,6 +3649,17 @@ {error, ?ERR_INTERNAL_SERVER_ERROR} end.
Vulnerability mechanics
Generated by null/stub on May 9, 2026. Inputs: CWE entries + fix-commit diffs from this CVE's patches. Citations validated against bundle.
References
10- support.process-one.net/browse/EJAB-1498nvdPatchWEB
- secunia.com/advisories/46915nvdVendor Advisory
- github.com/advisories/GHSA-2h3q-v47h-f4rcghsaADVISORY
- nvd.nist.gov/vuln/detail/CVE-2011-4320ghsaADVISORY
- www.openwall.com/lists/oss-security/2011/11/19/1nvdWEB
- www.openwall.com/lists/oss-security/2011/11/19/2nvdWEB
- www.process-one.net/en/ejabberd/release_notes/release_note_ejabberd_2.1.9nvdWEB
- github.com/processone/ejabberd/commit/d3c4eab46f3cd54f7686cfed740d9c130b6801cfghsaWEB
- github.com/processone/ejabberd/commit/d5b4d6785879f0a5192c26f5b5e218aec8104798ghsaWEB
- www.osvdb.org/77302nvd
News mentions
0No linked articles in our index yet.