Full Disclosure mailing list archives
PAPER: Attacking Server Side XML Parsers
From: "HI-TECH ." <isowarez.isowarez.isowarez () googlemail com>
Date: Wed, 2 Feb 2011 02:55:21 +0100
Hello lists, the paper included in this email discusses as the subject describes the issues of XML Parsers and how they can be exploited in a web application environment.
From the Preface:
During the audit of web applications one might come across an application which handles XML files. Specifically there can be an application which allows uploading XML files which are thereafter inserted into a database and used for later displaying on the front end of the application viewable by the user. I came across a significant “vulnerability class” which allows an attacker (or penetration tester) to evoke a scenario which will give access to all files on the underlying file system which the application server runs as. This includes (in the case the application is programmed in the Java language) access to directory listings as well. Any pointers if this was helpful to you are appriciated. Best Regards, Kingcope
Attachment:
Attacking Server Side XML Parsers.pdf
Description:
_______________________________________________ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
Current thread:
- PAPER: Attacking Server Side XML Parsers HI-TECH . (Feb 01)
- Re: PAPER: Attacking Server Side XML Parsers Chris Evans (Feb 01)