Community
Participate
Working Groups
Dear sir, I am glad to see the Mosquitto supported MQTTv5. However, I find a potential vulberability that named unauthorized response topic. We find the ACL dosen't define the access control on the response topic which we find important in MQTT. For example, the adversary can not publish message to topic A and a victim is allowed to publish msg to topic A. If the adversary send PUBLISH packet with response topic A and corralation data to topic B. The aforementioned victim subscribed the topic B and received the PUBLISH message with the response topic and correlation data, According to the specification of MQTT v5.0, the victim will send the malicious correalation data to topic A. It suggest that the adversary can utilize response topic indirectly. We belive the ACL should add the access control of the response topic and the server should check if the adversary have the authority to the response topic in his CONNECT or PUBLISH packet.
What could count as malicious correlation data? It is just a binary blob for comparison to see what request and response match.
This issue has been migrated to https://gitlab.eclipse.org/eclipsefdn/helpdesk/-/issues/501.