OASIS Mailing List ArchivesView the OASIS mailing list archive below
or browse/search using MarkMail.

 


Help: OASIS Mailing Lists Help | MarkMail Help

 


 

   Re: [xml-dev] Excellent IETF BCP on XML

[ Lists Home | Date Index | Thread Index ]

Bullard, Claude L (Len) wrote,
> Yep.  However, since packets are sniffable?

Umm ... you've not been paying attention, have you ;-)

Other than the stuff David mentioned, the external entity attacks I 
disussed here,

  http://lists.xml.org/archives/xml-dev/200206/msg00240.html
  http://lists.xml.org/archives/xml-dev/200206/msg00247.html

are directly applicable if RDDL documents are retrieved recklessly.

Elliotte RH's XInclude attack is similar,

  http://lists.xml.org/archives/xml-dev/200210/msg01461.html

and he came up with another entity variant here,

  http://lists.xml.org/archives/xml-dev/200211/msg00027.html

And there was also the BugTraq advisory reporting poor choices of 
default retreival behaviour for external entities here by several 
widely deployed parsers,

http://online.securityfocus.com/archive/1/297714/2002-10-27/2002-11-02/0

I wouldn't be at all surprised if we see another one some time in the 
future reporting poor choices of retrieval behaviour for RDDL 
documents.

Cheers,


Miles




 

News | XML in Industry | Calendar | XML Registry
Marketplace | Resources | MyXML.org | Sponsors | Privacy Statement

Copyright 2001 XML.org. This site is hosted by OASIS