Bugtraq mailing list archives
Sun JRE / JDK bug introduces XXE possibilities
From: "Chris Evans" <scarybeasts () gmail com>
Date: Sat, 2 Feb 2008 14:21:13 +0000
Hi, Now that Sun has fixed this in JDK6u4, I thought this might be of interest to people: http://scarybeastsecurity.blogspot.com/ Essentially, one common XXE protection method was broken in the default XML parser, in JDK6. In particular, I'm worried about web services (and other server-side XML accepting technologies) deployed under JDK6. I haven't had time to look into common web service frameworks and see how they implement XXE protection. Might be interesting to look into specific technologies that broke. Cheers Chris
Current thread:
- Sun JRE / JDK bug introduces XXE possibilities Chris Evans (Feb 02)