OASIS Mailing List ArchivesView the OASIS mailing list archive below
or browse/search using MarkMail.


Help: OASIS Mailing Lists Help | MarkMail Help

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Dereferencing Namespace URIs considered harmful

It would be worthwhile taking a little time to consider the possible
security impact of encouraging XML processing software to dereference
Namespace URIs as a matter of course.

Performing an HTTP GET on an arbitrary URL is not an innocuous action. Most
web servers have well known vulnerabilities to various forms of malformed
URL. In addition the logs kept by web servers can be and are used to track
the progress of HTML formatted email messages - this could easily be
extended to track the progress of XML documents (e.g. SOAP messages, XML
based EDI documents) providing an attacker with valuable information on the
business infrastructure behind the firewall.

If processing software uses the Namespace URI to fetch a second XML document
and begins to process that document it opens itself up to a number of Denial
of Service attacks (feeding the processor an infinitely long document,
putting new Namespace URIs in the second document which are the start of an
infinitely long chain of URIs).

This danger exists at the moment in the form of email clients who accept and
display HTML format email messages. It would seem to me to be foolish to
extend this danger to mission critical servers processing core business XML

John Wilson
The Wilson Partnership
5 Market Hill, Whitchurch, Aylesbury, Bucks HP22 4JB, UK
+44 1296 641072, +44 7976 611010(mobile), +44 1296 641874(fax)