OASIS Mailing List ArchivesView the OASIS mailing list archive below
or browse/search using MarkMail.

 


Help: OASIS Mailing Lists Help | MarkMail Help
[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: Dereferencing Namespace URIs considered harmful

> It would be worthwhile taking a little time to consider the possible
> security impact of encouraging XML processing software to dereference
> Namespace URIs as a matter of course.
>
> Performing an HTTP GET on an arbitrary URL is not an innocuous action. Most
> web servers have well known vulnerabilities to various forms of malformed
> URL. In addition the logs kept by web servers can be and are used to track
> the progress of HTML formatted email messages - this could easily be
> extended to track the progress of XML documents (e.g. SOAP messages, XML
> based EDI documents) providing an attacker with valuable information on the
> business infrastructure behind the firewall.

Thanks for mentioning this, which is a very important issue for all of us
writing network software to keep in mind.

However, I hardly think there is anything special about dereferencing
namespace URIs that causes any particular concern.  Internet
infrastructure revolves around accessing and opening up resources from
untrusted parties.  Without this, CERT would be a lot less busy, but the
Internet would be precisely nowhere.  There is little one can do to make
the Internet more valuable without also making it more dangerous.

Programmers need to be aware of possible denial-of-service attacks, remote
exploits, etc.  As for web bugs, I don't think there's much to be done.
These can already be insinuated through entity references in current XML
documents.  This may be a problem for thse obsessed about privacy.  As for
the idea that hackers can map out a firewall-protected network using such
web bugs, I'm no security expert, but I'm suspicious that this is possible
without some other concomitant security failure of the system.  After all,
in a bastion host system, all the nefarious HTTP loggers will see is the
public firewall address.


-- 
Uche Ogbuji                               Principal Consultant
uche.ogbuji@fourthought.com               +1 303 583 9900 x 101
Fourthought, Inc.                         http://Fourthought.com
4735 East Walnut St, Ste. C, Boulder, CO 80301-2537, USA
Software-engineering, knowledge-management, XML, CORBA, Linux, Python