OASIS Mailing List ArchivesView the OASIS mailing list archive below
or browse/search using MarkMail.


Help: OASIS Mailing Lists Help | MarkMail Help



   Re: [xml-dev] Seen on BugTraq: XXE (Xml eXternal Entity) attack

[ Lists Home | Date Index | Thread Index ]

It strikes me that this puts the cart before the horse.  The answer is not to ban 
external entities, it is to allow access control lists as part of entity managers
or URL resolvers.

> * DoS on the parsing system by making it open, e.g.
>   file:///dev/random | file:///dev/urandom | file://c:/con/con

ACL can address this.

> * TCP scans using HTTP external entities (including behind firewalls
>   since application servers often have world view different
>   from that of the attacker)

ACL can fix this

> * Unauthorized access to data stored as XML files on the parsing
>   system file system (of course the attacker still needs a way to
>   get these data back)

Err, yes: this is a bit too vague to be credible isn't it. But an ACL system
would fix that.

>  * DoS on other systems (if parsing system is allowed to establish
>   TCP connections to other systems)

ACL would reduce this.  

> * NTLM authentication material theft by initiating UNC file access to
>   systems under attacker control (far fetched?)


> * Doomsday scenario: A widely deployed and highly connected application
>   vulnerable to this attack may be used for DDoS.

ACL can reduce this. 

An interesting point is that XInclude and other inbody links which are automatically
fetched, parsed and embedded are susceptible to some kind of DoS where 
a resource fetched from a system under attacker control generates a never 
terminating series of XInclude references, each included document including
more documents.  At least the prolog fixes the number of entities possible.

Rick Jelliffe

----- Original Message ----- 
From: "Miles Sabin" <miles@milessabin.com>
To: <xml-dev@lists.xml.org>
Sent: Wednesday, October 30, 2002 8:05 PM
Subject: [xml-dev] Seen on BugTraq: XXE (Xml eXternal Entity) attack

> No surprises for us given that we've discussed this and related issues 
> here several times over the last few years, but nice to see it getting 
> a wider circulation. And unlike the theoretical discussions we've had, 
> this guy has gone out and tested existing software ...
> http://online.securityfocus.com/archive/1/297714/2002-10-27/2002-11-02/0
> Gregory Steuck security advisory #1, 2002
> Overview:
>   XXE (Xml eXternal Entity) attack is an attack on an application that
>   parses XML input from untrusted sources using incorrectly configured
>   XML parser. The application may be coerced to open arbitrary files
>   and/or TCP connections.
> Cheers,
> Miles
> -----------------------------------------------------------------
> The xml-dev list is sponsored by XML.org <http://www.xml.org>, an
> initiative of OASIS <http://www.oasis-open.org>
> The list archives are at http://lists.xml.org/archives/xml-dev/
> To subscribe or unsubscribe from this list use the subscription
> manager: <http://lists.xml.org/ob/adm.pl>


News | XML in Industry | Calendar | XML Registry
Marketplace | Resources | MyXML.org | Sponsors | Privacy Statement

Copyright 2001 XML.org. This site is hosted by OASIS