Lists Home |
Date Index |
Eric van der Vlist wrote,
> Miles Sabin wrote:
> > This is likely to be particularly so in server as opposed to client
> > applications: that a server designed to only _consume_ incoming
> > documents might be tricked into making outgoing requests to
> > arbitrary hosts is probably completely unexpected.
> Yes, that's a fascinating and frightening perspective, but isn't it
> the case also with any HTML document which can instruct a browser to
> do many outgoing requests to fetch images, stylesheets, scripts and
> other objects?
Yes it is, but it's now pretty widely understood that HTML (with or
without embedded scripts or objects) can be dangerous on the client.
I don't think there's the same understanding of vulnerabilities on the
server side: if you POST and HTML document to a server you wouldn't
normally expect it to attempt to retrieve images or execute embedded
scripts or objects. OTOH, with an XML POST to a validating XML
processor, retrieval of referenced external enities is precisely what's
going to happen in many cases.