OASIS Mailing List ArchivesView the OASIS mailing list archive below
or browse/search using MarkMail.


Help: OASIS Mailing Lists Help | MarkMail Help



   Re: [xml-dev] Seen on BugTraq: XXE (Xml eXternal Entity) attack

[ Lists Home | Date Index | Thread Index ]

Rick Jelliffe wrote,
> > * Unauthorized access to data stored as XML files on the parsing
> >   system file system (of course the attacker still needs a way to
> >   get these data back)
> Err, yes: this is a bit too vague to be credible isn't it.

I sketched a scenario here,


(see towards the middle, "unexpected information disclosure"). Maybe 
still a bit vague, and highly dependent on the functionality of the 
receiving application ... but I think the possibility is credible 




News | XML in Industry | Calendar | XML Registry
Marketplace | Resources | MyXML.org | Sponsors | Privacy Statement

Copyright 2001 XML.org. This site is hosted by OASIS