OASIS Mailing List ArchivesView the OASIS mailing list archive below
or browse/search using MarkMail.

 


Help: OASIS Mailing Lists Help | MarkMail Help

 


 

   Re: [xml-dev] Seen on BugTraq: XXE (Xml eXternal Entity) attack

[ Lists Home | Date Index | Thread Index ]

Rick Jelliffe wrote,
> > * Unauthorized access to data stored as XML files on the parsing
> >   system file system (of course the attacker still needs a way to
> >   get these data back)
>
> Err, yes: this is a bit too vague to be credible isn't it.

I sketched a scenario here,

  http://lists.xml.org/archives/xml-dev/200206/msg00247.html

(see towards the middle, "unexpected information disclosure"). Maybe 
still a bit vague, and highly dependent on the functionality of the 
receiving application ... but I think the possibility is credible 
enough.

Cheers,


Miles




 

News | XML in Industry | Calendar | XML Registry
Marketplace | Resources | MyXML.org | Sponsors | Privacy Statement

Copyright 2001 XML.org. This site is hosted by OASIS