Full Disclosure mailing list archives
Re: Multiple vendors XML parser (and SOAP/WebServices server) Denial of Service attack using DTD
From: Gregory Steuck <greg-fulldisclosure () nest cx>
Date: 17 Dec 2002 11:32:10 -0800
"Amit" == Amit Klein <amit.klein () sanctuminc com> writes:
Amit> Whether you like ot or not, a substantial amount of Amit> BugTraq advisories are non-doscilsure. This is by no means the Amit> first one. Full disclosure does not mean spelling out Amit> exploits for script kiddies. I don't advocate "0wning t00lz", I advocate providing enough details to help intelligent programmers to avoid repeating the old mistakes. And your evaluation of bugtraq seems to match mine, so it is time for those who seek knowledge to move on. Thank you Georgi, for bringing full-disclosure to my attention. >> Uh-oh, turns out it's the way DTD is supposed to work, not an >> implementation defect. Amit> First, RTFM: "A SOAP message MUST NOT contain a Document Type Amit> Declaration" (http://www.w3.org/TR/SOAP/ section 3). A clarification is in order, I meant to say "not an implementation defect in XML parser". Amit> And for the generic XML documents, I believe that it is Amit> possible to parse the DTD securely. That's precisely my point: as a developer I need to know what I should be looking for. Your advisory does not teach me much. It does not tell me how to use an XML parser safely. Thanks Greg _______________________________________________ Full-Disclosure - We believe in it. Charter: http://lists.netsys.com/full-disclosure-charter.html
Current thread:
- RE: Multiple vendors XML parser (and SOAP/WebServices server) Den ial of Service attack using DTD Amit Klein (Dec 17)
- Re: Multiple vendors XML parser (and SOAP/WebServices server) Denial of Service attack using DTD Gregory Steuck (Dec 17)