xml-dev - Re: [xml-dev] XInclude: security risk 1

Re: [xml-dev] XInclude: security risk 1

[ Lists Home | Date Index | Thread Index ]

To: xml-dev@lists.xml.org
Subject: Re: [xml-dev] XInclude: security risk 1
From: Miles Sabin <miles@milessabin.com>
Date: Fri, 1 Nov 2002 14:50:17 +0000
In-reply-to: <p04330100b9e837786987@[192.168.254.4]>
References: <p04330100b9e080b82819@[192.168.254.4]> <3DBD9ABD.4070509@netscape.com> <p04330100b9e837786987@[192.168.254.4]>

Elliotte Rusty Harold wrote,
> This is still probably less dangerous than the XInclude version of
> the attack because for it to succeed gandalf not only needs to exist,
> it must return something that can plausibly fit into an XML document:
> either XML or plain text that doesn't contain & or <. XInclude can
> use parse="text" to open up a lot more possibilities.
>
> The IMG case in HTML is qualitatively different. The success or
> failure of the loading of one IMG element is unrelated to the loading
> of anything else. As far as I've been able to devise, there's no
> direct way to communicate the result back to another host. (Perhaps
> JavaScript can do it. I really don't know.)

It's hard to say. It's likely to be highly implementation dependent. For 
instance, the victim might return different error responses depending 
on whether the document is unprocessable due to an unretrievable 
external entity or because it's otherwise ill-formed or invalid.

Good catch, BTW.

Cheers,


Miles

References:
- Re: [xml-dev] XInclude: security risk 1
  - From: Elliotte Rusty Harold <elharo@metalab.unc.edu>

Prev by Date: Help with an XSD problem
Next by Date: RE: [xml-dev] Do you use Substitution Groups?
Previous by thread: Re: [xml-dev] XInclude: security risk 1
Next by thread: Do you use Substitution Groups?
Index(es):
- Date
- Thread