xml-dev - Re: [xml-dev] XInclude: security risk 1

Re: [xml-dev] XInclude: security risk 1

[ Lists Home | Date Index | Thread Index ]

To: Elliotte Rusty Harold <elharo@metalab.unc.edu>
Subject: Re: [xml-dev] XInclude: security risk 1
From: Rich Salz <rsalz@datapower.com>
Date: Sat, 26 Oct 2002 22:15:05 -0400 (EDT)
Cc: "xml-dev@lists.xml.org" <xml-dev@lists.xml.org>
In-reply-to: <p04330100b9e080b82819@[192.168.254.4]>

> Once a local user has loaded this into a web browser from behind the
> firewall, the original host site or some other remote site can easily
> determine whether some document exists on some server that would not
> normally be accessible to it.

Interesting idea.  It would be easy, for example, for an adversary to
determine the system type by looking for things like /linux vs
C:\PROGRA~1.  Knowing that would help them attack.
	/r$

References:
- XInclude: security risk 1
  - From: Elliotte Rusty Harold <elharo@metalab.unc.edu>

Prev by Date: RE: [xml-dev] [ANN] "Future of Software and Databases" NetSeminar (December 3)
Next by Date: Re: [xml-dev] Are XML's Good Ideas hidden? (was Re: [xml-dev] Re: What are Sc...
Previous by thread: Re: [xml-dev] XInclude: security risk 1
Next by thread: Re: [xml-dev] XInclude: security risk 1
Index(es):
- Date
- Thread