xml-dev - Re: [xml-dev] Wrapping Scripted Media in RSS: Secure?

Re: [xml-dev] Wrapping Scripted Media in RSS: Secure?

[ Lists Home | Date Index | Thread Index ]

To: <xml-dev@lists.xml.org>
Subject: Re: [xml-dev] Wrapping Scripted Media in RSS: Secure?
From: "Ken North" <kennorth@sbcglobal.net>
Date: Fri, 23 Sep 2005 12:46:49 -0700
References: <15725CF6AFE2F34DB8A5B4770B7334EE0720746B@hq1.ingr-corp.com> <4332E386.8040009@koberg.com>

Robert Koberg wrote:
> But isn't this more about server admins than possible problems with
> script in content?
>
> How can their be problems if the script cannot be executed?

Given that we've seen security threats related to non-executable content, you
comment about server administration hits the nail on the head.

1. Vulnerabilities related to XML, DTD, XML-RPC and SOAP processing:
http://www.webservicessummit.com/Vulnerabilities.htm

2. SQL injection vulnerabilities are epidemic.

3. MP3, WMA, AVI, PNG and JPEG have been exploited. The problem is often a
buffer overrun that can be exploited by constructing a file to cause the overrun
and allow malware to execute.

There's a worm that exploited a vulnerability in some Windows apps that read
JPEG images. One of the MP3 exploits uses an ID3 tag.
There have been vulnerabilities in media players (Flash Player, RealPlayer,
Windows Media Player, MPlayer).

======== Ken North ===========
www.WebServicesSummit.com
www.SQLSummit.com
www.GridSummit.com

References:
- RE: [xml-dev] Wrapping Scripted Media in RSS: Secure?
  - From: "Bullard, Claude L (Len)" <len.bullard@intergraph.com>
- Re: [xml-dev] Wrapping Scripted Media in RSS: Secure?
  - From: Robert Koberg <rob@koberg.com>

Prev by Date: Re: [xml-dev] Wrapping Scripted Media in RSS: Secure?
Next by Date: RE: [xml-dev] Wrapping Scripted Media in RSS: Secure?
Previous by thread: Re: [xml-dev] Wrapping Scripted Media in RSS: Secure?
Next by thread: RE: [xml-dev] Wrapping Scripted Media in RSS: Secure?
Index(es):
- Date
- Thread