xml-dev - Re: [xml-dev] Seen on BugTraq: XXE (Xml eXternal Entity) attack

Re: [xml-dev] Seen on BugTraq: XXE (Xml eXternal Entity) attack

[ Lists Home | Date Index | Thread Index ]

To: xml-dev@lists.xml.org
Subject: Re: [xml-dev] Seen on BugTraq: XXE (Xml eXternal Entity) attack
From: Miles Sabin <miles@milessabin.com>
Date: Wed, 30 Oct 2002 10:20:58 +0000
In-reply-to: <01ad01c27ffb$9aa10d40$4bc8a8c0@AlletteSystems.com>
References: <200210300905.44376.miles@milessabin.com> <01ad01c27ffb$9aa10d40$4bc8a8c0@AlletteSystems.com>

Rick Jelliffe wrote,
> > * Unauthorized access to data stored as XML files on the parsing
> >   system file system (of course the attacker still needs a way to
> >   get these data back)
>
> Err, yes: this is a bit too vague to be credible isn't it.

I sketched a scenario here,

  http://lists.xml.org/archives/xml-dev/200206/msg00247.html

(see towards the middle, "unexpected information disclosure"). Maybe 
still a bit vague, and highly dependent on the functionality of the 
receiving application ... but I think the possibility is credible 
enough.

Cheers,


Miles

References:
- Seen on BugTraq: XXE (Xml eXternal Entity) attack
  - From: Miles Sabin <miles@milessabin.com>
- Re: [xml-dev] Seen on BugTraq: XXE (Xml eXternal Entity) attack
  - From: "Rick Jelliffe" <ricko@allette.com.au>

Prev by Date: Re: [xml-dev] Seen on BugTraq: XXE (Xml eXternal Entity) attack
Next by Date: Re: [xml-dev] XML Object Serialization
Previous by thread: Re: [xml-dev] Seen on BugTraq: XXE (Xml eXternal Entity) attack
Next by thread: Internationalising Regular Expressions
Index(es):
- Date
- Thread