Lists Home |
Date Index |
> Full advisory here,
> Multiple vendors XML parser (and SOAP/WebServices server)
> Denial of Service attack using DTD
This was discussed here a few weeks ago.
This DOS attack is possible with any conforming XML parser,
so it is not an issue of the particular implementations mentioned,
but rather a "feature" of XML itself.
Also, the SOAP specs make it a point to *not* allow
a document type declaration within a SOAP message, so conforming
SOAP implementations should not be susceptible to such an attack.
A "fix" would not necessarily involve XML parser implementations,
although we - the Expat team - have discussed adding some features
to make it easier to detect such a "malicious" DTD.
This advisory also does not mention the responses received
from the Expat team.
Looks as if Sanctum inc. http://www.sanctuminc.com/ just issued this
advisory to justify their existence.