Re: Multiple vendors XML parser (and SOAP/WebServices server) Denial of Service attack using DTD

[Gregory Steuck <greg-fulldisclosure () nest cx>]

> > > > > "Amit" == Amit Klein <amit.klein () sanctuminc com> writes:

    Amit> Whether you like ot or not, a substantial amount of
    Amit> BugTraq advisories are non-doscilsure. This is by no means the
    Amit> first one.  Full disclosure does not mean spelling out
    Amit> exploits for script kiddies.

I don't advocate "0wning t00lz", I advocate providing enough details to
help intelligent programmers to avoid repeating the old mistakes. And
your evaluation of bugtraq seems to match mine, so it is time for those
who seek knowledge to move on. Thank you Georgi, for bringing
full-disclosure to my attention.

    >>  Uh-oh, turns out it's the way DTD is supposed to work, not an
    >> implementation defect.

    Amit> First, RTFM: "A SOAP message MUST NOT contain a Document Type
    Amit> Declaration" (http://www.w3.org/TR/SOAP/ section 3).

A clarification is in order, I meant to say "not an implementation
defect in XML parser".

    Amit> And for the generic XML documents, I believe that it is
    Amit> possible to parse the DTD securely.

That's precisely my point: as a developer I need to know what I should
be looking for. Your advisory does not teach me much. It does not tell
me how to use an XML parser safely.

Thanks
Greg
_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.netsys.com/full-disclosure-charter.html