OASIS Mailing List ArchivesView the OASIS mailing list archive below
or browse/search using MarkMail.


Help: OASIS Mailing Lists Help | MarkMail Help



   Re: [xml-dev] Malicious XML

[ Lists Home | Date Index | Thread Index ]

Karl Waclawek writes:

 > According to James Clark it is a reasonably well known XML
 > vulnerability. I can e-mail you. I am not sure if I should
 > post it publicly - any comments on that?

[note: I've seen it by private mail]

Yes, you should post it publicly, for two reasons:

1. People cannot protect themselves against what they don't know.

2. There's very little XML flowing outside the firewall (virtually nil
   in Web terms), so there's not much for a script kiddie to attack.

I suppose we need to consider XML-aware Web browsers like MSIE, but
you hardly need a sophisticated attack to crash those anyway.

All the best,


David Megginson, david@megginson.com, http://www.megginson.com/


News | XML in Industry | Calendar | XML Registry
Marketplace | Resources | MyXML.org | Sponsors | Privacy Statement

Copyright 2001 XML.org. This site is hosted by OASIS