[Date Prev]
| [Thread Prev]
| [Thread Next]
| [Date Next]
--
[Date Index]
| [Thread Index]
Entities can execute system level commands?
- From: "Costello, Roger L." <costello@mitre.org>
- To: "xml-dev@lists.xml.org" <xml-dev@lists.xml.org>
- Date: Mon, 19 Jul 2010 09:08:29 -0400
Hi Folks,
The RFC on XML Media Types (RFC2376) says this in the section on Security Considerations:
XML entities contain
information to be parsed and processed by the recipient's XML system.
These entities may contain and such systems may permit explicit
system level commands to be executed while processing the data. To
the extent that an XML system will execute arbitrary command strings,
recipients of XML entities may be at risk. In general, it may be
possible to specify commands that perform unauthorized file
operations ...
Yikes!
How can the use of an entity result in "explicit system level commands to be executed while processing the data"?
For example, here is an XML document that contains an external entity reference:
<?xml version="1.0"?>
<!DOCTYPE BookCatalogue [
<!ENTITY Book SYSTEM "Book.xml">
]>
<BookCatalogue>
&Book;
<Book>
<Title>Illusions The Adventures of a Reluctant Messiah</Title>
<Author>Richard Bach</Author>
<Date>1977</Date>
<ISBN>0-440-34319-4</ISBN>
<Publisher>Dell Publishing Co.</Publisher>
</Book>
<Book>
<Title>The First and Last Freedom</Title>
<Author>J. Krishnamurti</Author>
<Date>1954</Date>
<ISBN>0-06-064831-7</ISBN>
<Publisher>Harper & Row</Publisher>
</Book>
</BookCatalogue>
How can this entity execute system level commands?
/Roger
See Section 4 of RFC2376: http://www.ietf.org/rfc/rfc2376.txt
[Date Prev]
| [Thread Prev]
| [Thread Next]
| [Date Next]
--
[Date Index]
| [Thread Index]