RE: Multiple vendors XML parser (and SOAP/WebServices server) Den ial of Service attack using DTD

[Amit Klein <amit.klein () sanctuminc com>]

> It's posts like
> this one that make Bugtraq a cheap brand name peddling place.

Wake up. Whether you like ot or not, a substantial amount of BugTraq
advisories are non-doscilsure. This is by no means the first one.
Full disclosure does not mean spelling out exploits for script kiddies. At
the end of the day, the products became secure (due to patches
offered by the vendors), and that's what counts.

>     Amit>  - Other products from other vendors are known to be
>     Amit> vulnerable too
>
> Perfect, and since we are not told what the vulnerability is, we are
> left vulnerable without any way to find out where the problem lies.

The vendors not listed are ones that were not contacted directly by me.
These vendors did not contact me, and I have no information 
regarding their status with this vulnerability. As such, I did not include
them in my advisory. If you use a product from such vendor, you
should probably ask your vendor some questions.
 
> Uh-oh, turns out it's the way DTD is supposed to work, not an
> implementation defect.

First, RTFM: "A SOAP message MUST NOT contain a Document Type Declaration"
(http://www.w3.org/TR/SOAP/ section 3). 
And for the generic XML documents, I believe that it is possible to parse 
the DTD securely. The fact that the DTD allows you to do something does not
mean that it is secure to do it. 
For example, the DTD allows you to define external entities, yet these
clearly pose a security problem.

Thanks,
-Amit