OASIS Mailing List ArchivesView the OASIS mailing list archive below
or browse/search using MarkMail.

 


Help: OASIS Mailing Lists Help | MarkMail Help

 


 

   Re: [xml-dev] XInclude: security risk 1

[ Lists Home | Date Index | Thread Index ]

>How bad is this? Does this do anything a hacker can't do with IMG 
>tags or external entity references now? I do think this is worse than 
>those cases because fallbacks let the result of the load be 
>communicated back to the original host (or a different one).

That's an interesting point.  You may be able to obtain some feedback
with entity references too, since if the entity reference fails in
some way then the rest of the document may not be processed, including
later entity references.  But the XInclude case may be more useful,
depending on exactly what circumstances the processor falls back or
aborts.

>Combined with JavaScript and DHTML, this attack could become a lot 
>more effective. If the browser exposes the post-include DOM to any 
>such technology, then this would allow the remote site to gather 
>information from normally restricted pages on the Intranet.

This on the other hand seems to be exactly the same as the entity
reference case: my Javascript looking at a DOM with your file:///whatever
XIncluded is no worse than looking at a DOM with your file:///whatever
entity expanded.

Maintainers of web-based validators should worry about the same
problem.

-- Richard




 

News | XML in Industry | Calendar | XML Registry
Marketplace | Resources | MyXML.org | Sponsors | Privacy Statement

Copyright 2001 XML.org. This site is hosted by OASIS