OASIS Mailing List ArchivesView the OASIS mailing list archive below
or browse/search using MarkMail.


Help: OASIS Mailing Lists Help | MarkMail Help



   Re: [xml-dev] XInclude: security risk 1

[ Lists Home | Date Index | Thread Index ]

Elliotte Rusty Harold wrote,
> This is still probably less dangerous than the XInclude version of
> the attack because for it to succeed gandalf not only needs to exist,
> it must return something that can plausibly fit into an XML document:
> either XML or plain text that doesn't contain & or <. XInclude can
> use parse="text" to open up a lot more possibilities.
> The IMG case in HTML is qualitatively different. The success or
> failure of the loading of one IMG element is unrelated to the loading
> of anything else. As far as I've been able to devise, there's no
> direct way to communicate the result back to another host. (Perhaps
> JavaScript can do it. I really don't know.)

It's hard to say. It's likely to be highly implementation dependent. For 
instance, the victim might return different error responses depending 
on whether the document is unprocessable due to an unretrievable 
external entity or because it's otherwise ill-formed or invalid.

Good catch, BTW.




News | XML in Industry | Calendar | XML Registry
Marketplace | Resources | MyXML.org | Sponsors | Privacy Statement

Copyright 2001 XML.org. This site is hosted by OASIS