[Date Prev]
| [Thread Prev]
| [Thread Next]
| [Date Next]
--
[Date Index]
| [Thread Index]
Re: [xml-dev] Namespace prefixes are a security risk
- From: "David A. Lee" <dlee@calldei.com>
- To: "G. Ken Holman" <gkholman@CraneSoftwrights.com>
- Date: Mon, 28 Dec 2009 11:52:51 -0500
You don't even need namespaces for this 'hidden message'.
Just put the original order in a file
attacknow.xml
or host it at
http://www.attacknow.com/
Or send it in an email with a subject like "Attach Now".
in fact you dont need the XML at all for any of this. An empty or
non-existant file will do.
David A. Lee
dlee@calldei.com
http://www.calldei.com
http://www.xmlsh.org
812-482-5224
G. Ken Holman wrote:
> At 2009-12-28 11:14 -0500, Costello, Roger L. wrote:
>> The problem described below occurs with XML 'guards' that are trying
>> to prevent the release of unauthorized information at an enclave
>> boundary.
>
> Surely, Roger, you've been dipping into the New Year's grog a bit
> early here, haven't you?
>
>> Namespace prefixes provide a ready channel for transmitting
>> information out of the protected enclave. That channel is overlooked
>> by most XML applications, expect for an application that is
>> specifically looking for that information.
>> ...
>> <attackNOW:book xmlns:attackNOW="http://www.book.org";>
>> <attackNOW:title>The Origin of Wealth</attackNOW:title>
>> ...
>> Not so innocent-looking anymore, is it?
>
> No, it looks ludicrous!
>
> I'm guessing you are pulling our collective legs here for some holiday
> fun. This is reminiscent of worries of rock music carrying hidden
> transmissions programming the teenagers to rebel against their parents.
>
> Have a happy new year!
>
> . . . . . . . . . . . Ken
>
>
> --
> UBL and Code List training: Copenhagen, Denmark 2010-02-08/10
> XSLT/XQuery/XPath training after http://XMLPrague.cz 2010-03-15/19
> XSLT/XQuery/XPath training: San Carlos, California 2010-04-26/30
> Vote for your XML training: http://www.CraneSoftwrights.com/x/i/
> Crane Softwrights Ltd. http://www.CraneSoftwrights.com/x/
> Training tools: Comprehensive interactive XSLT/XPath 1.0/2.0 video
> Video lesson: http://www.youtube.com/watch?v=PrNjJCh7Ppg&fmt=18
> Video overview: http://www.youtube.com/watch?v=VTiodiij6gE&fmt=18
> G. Ken Holman mailto:gkholman@CraneSoftwrights.com
> Male Cancer Awareness Nov'07 http://www.CraneSoftwrights.com/x/bc
> Legal business disclaimers: http://www.CraneSoftwrights.com/legal
>
>
> _______________________________________________________________________
>
> XML-DEV is a publicly archived, unmoderated list hosted by OASIS
> to support XML implementation and development. To minimize
> spam in the archives, you must subscribe before posting.
>
> [Un]Subscribe/change address: http://www.oasis-open.org/mlmanage/
> Or unsubscribe: xml-dev-unsubscribe@lists.xml.org
> subscribe: xml-dev-subscribe@lists.xml.org
> List archive: http://lists.xml.org/archives/xml-dev/
> List Guidelines: http://www.oasis-open.org/maillists/guidelines.php
[Date Prev]
| [Thread Prev]
| [Thread Next]
| [Date Next]
--
[Date Index]
| [Thread Index]
