[
Lists Home |
Date Index |
Thread Index
]
Yes, I have but I may be missing your point.
We've known about external entity retrieval
problems since the SGML days. They were a
nuisance more than a threat then. Somewhere way
back when, this issue was brought up by
Newcomb, myself, et al at the dawn of the
webUberAlles era. It is pretty obvious to
anyone that thinks about linking. Remember,
the concept of linkbases is really really old.
The wrinkle never seen before was using them
for names too. In olden times, one could
use a PUBLIC name and it would be non-dereferenceable
by design rather than by fiat.
I am simply wondering how many other ways it can
be exploited using the network if the AnythingImportantIsURINamed
and Smart People Prepend HTTP philosophy is
followed without understanding that these things
are always/whereevertheyarefound dereferenceable.
len
-----Original Message-----
From: Miles Sabin [mailto:miles@milessabin.com
Bullard, Claude L (Len) wrote,
> Yep. However, since packets are sniffable?
Umm ... you've not been paying attention, have you ;-)
Other than the stuff David mentioned, the external entity attacks I
disussed here,
|