Full Disclosure mailing list archives
RE: Multiple vendors XML parser (and SOAP/WebServices server) Den ial of Service attack using DTD
From: Amit Klein <amit.klein () sanctuminc com>
Date: Tue, 17 Dec 2002 01:42:33 -0800
It's posts like this one that make Bugtraq a cheap brand name peddling place.
Wake up. Whether you like ot or not, a substantial amount of BugTraq advisories are non-doscilsure. This is by no means the first one. Full disclosure does not mean spelling out exploits for script kiddies. At the end of the day, the products became secure (due to patches offered by the vendors), and that's what counts.
Amit> - Other products from other vendors are known to be Amit> vulnerable too Perfect, and since we are not told what the vulnerability is, we are left vulnerable without any way to find out where the problem lies.
The vendors not listed are ones that were not contacted directly by me. These vendors did not contact me, and I have no information regarding their status with this vulnerability. As such, I did not include them in my advisory. If you use a product from such vendor, you should probably ask your vendor some questions.
Uh-oh, turns out it's the way DTD is supposed to work, not an implementation defect.
First, RTFM: "A SOAP message MUST NOT contain a Document Type Declaration" (http://www.w3.org/TR/SOAP/ section 3). And for the generic XML documents, I believe that it is possible to parse the DTD securely. The fact that the DTD allows you to do something does not mean that it is secure to do it. For example, the DTD allows you to define external entities, yet these clearly pose a security problem. Thanks, -Amit
Current thread:
- RE: Multiple vendors XML parser (and SOAP/WebServices server) Den ial of Service attack using DTD Amit Klein (Dec 17)
- Re: Multiple vendors XML parser (and SOAP/WebServices server) Denial of Service attack using DTD Gregory Steuck (Dec 17)