Lists Home |
Date Index |
Elliotte Rusty Harold wrote,
> This is still probably less dangerous than the XInclude version of
> the attack because for it to succeed gandalf not only needs to exist,
> it must return something that can plausibly fit into an XML document:
> either XML or plain text that doesn't contain & or <. XInclude can
> use parse="text" to open up a lot more possibilities.
> The IMG case in HTML is qualitatively different. The success or
> failure of the loading of one IMG element is unrelated to the loading
> of anything else. As far as I've been able to devise, there's no
> direct way to communicate the result back to another host. (Perhaps
It's hard to say. It's likely to be highly implementation dependent. For
instance, the victim might return different error responses depending
on whether the document is unprocessable due to an unretrievable
external entity or because it's otherwise ill-formed or invalid.
Good catch, BTW.