xml-dev - Re: [xml-dev] Billion laughs hits BugTraq

Re: [xml-dev] Billion laughs hits BugTraq

[ Lists Home | Date Index | Thread Index ]

To: "Miles Sabin" <miles@milessabin.com>,<xml-dev@lists.xml.org>
Subject: Re: [xml-dev] Billion laughs hits BugTraq
From: "Karl Waclawek" <karl@waclawek.net>
Date: Mon, 16 Dec 2002 13:26:19 -0500
References: <200212161805.29857.miles@milessabin.com>



> Full advisory here,
> 
>   http://makeashorterlink.com/?Y42112AC2
> 
>   Multiple vendors XML parser (and SOAP/WebServices server)
>   Denial of Service attack using DTD


This was discussed here a few weeks ago.
This DOS attack is possible with any conforming XML parser,
so it is not an issue of the particular implementations mentioned,
but rather a "feature" of XML itself.

Also, the SOAP specs make it a point to *not* allow
a document type declaration within a SOAP message, so conforming
SOAP implementations should not be susceptible to such an attack.

A "fix" would not necessarily involve XML parser implementations,
although we - the Expat team - have discussed adding some features
to make it easier to detect such a "malicious" DTD.

This advisory also does not mention the responses received
from the Expat team.

Looks as if Sanctum inc. http://www.sanctuminc.com/ just issued this
advisory to justify their existence.

Karl

References:
- Billion laughs hits BugTraq
  - From: Miles Sabin <miles@milessabin.com>

Prev by Date: RE: [xml-dev] nested namespaces
Next by Date: RE: [xml-dev] nested namespaces
Previous by thread: Billion laughs hits BugTraq
Next by thread: RE: [xml-dev] Sean McGrath hits a home run
Index(es):
- Date
- Thread