Prosody did not verify that the virtual host associated with a user
session remained the same across stream restarts.
In practice this means that a user may authenticate to XMPP host A and
migrate their authenticated session to XMPP host B of the same Prosody
Note that successful authentication to host A is required to initiate
the attack. This includes SASL ANONYMOUS.
Overriding the authenticated username is not possible via this exploit,
and this limits impersonation to usernames on host B that the attacker
also has access to on host A. In the case of ANONYMOUS authentication,
the username is random and enforced by the server.
If a user has the account email@example.com, they may impersonate
firstname.lastname@example.org, with security policies of host B applied.
This has been fixed in: