OASIS Mailing List ArchivesView the OASIS mailing list archive below
or browse/search using MarkMail.


Help: OASIS Mailing Lists Help | MarkMail Help



   Re: [xml-dev] Billion laughs hits BugTraq

[ Lists Home | Date Index | Thread Index ]

> Full advisory here,
>   http://makeashorterlink.com/?Y42112AC2
>   Multiple vendors XML parser (and SOAP/WebServices server)
>   Denial of Service attack using DTD

This was discussed here a few weeks ago.
This DOS attack is possible with any conforming XML parser,
so it is not an issue of the particular implementations mentioned,
but rather a "feature" of XML itself.

Also, the SOAP specs make it a point to *not* allow
a document type declaration within a SOAP message, so conforming
SOAP implementations should not be susceptible to such an attack.

A "fix" would not necessarily involve XML parser implementations,
although we - the Expat team - have discussed adding some features
to make it easier to detect such a "malicious" DTD.

This advisory also does not mention the responses received
from the Expat team.

Looks as if Sanctum inc. http://www.sanctuminc.com/ just issued this
advisory to justify their existence.



News | XML in Industry | Calendar | XML Registry
Marketplace | Resources | MyXML.org | Sponsors | Privacy Statement

Copyright 2001 XML.org. This site is hosted by OASIS