[XML-DEV Mailing List Archive Home] [By Thread] [By Date] [Recent Entries] [Reply To This Message]

Re: Seen on BugTraq: XXE (Xml eXternal Entity) attack

xxe xinclude
It strikes me that this puts the cart before the horse.  The answer is not to ban 
external entities, it is to allow access control lists as part of entity managers
or URL resolvers.

> * DoS on the parsing system by making it open, e.g.
>   file:///dev/random | file:///dev/urandom | file://c:/con/con

ACL can address this.

> * TCP scans using HTTP external entities (including behind firewalls
>   since application servers often have world view different
>   from that of the attacker)

ACL can fix this

> * Unauthorized access to data stored as XML files on the parsing
>   system file system (of course the attacker still needs a way to
>   get these data back)

Err, yes: this is a bit too vague to be credible isn't it. But an ACL system
would fix that.

>  * DoS on other systems (if parsing system is allowed to establish
>   TCP connections to other systems)

ACL would reduce this.  

> * NTLM authentication material theft by initiating UNC file access to
>   systems under attacker control (far fetched?)


> * Doomsday scenario: A widely deployed and highly connected application
>   vulnerable to this attack may be used for DDoS.

ACL can reduce this. 

An interesting point is that XInclude and other inbody links which are automatically
fetched, parsed and embedded are susceptible to some kind of DoS where 
a resource fetched from a system under attacker control generates a never 
terminating series of XInclude references, each included document including
more documents.  At least the prolog fixes the number of entities possible.

Rick Jelliffe

----- Original Message ----- 
From: "Miles Sabin" <miles@m...>
To: <xml-dev@l...>
Sent: Wednesday, October 30, 2002 8:05 PM
Subject:  Seen on BugTraq: XXE (Xml eXternal Entity) attack

> No surprises for us given that we've discussed this and related issues 
> here several times over the last few years, but nice to see it getting 
> a wider circulation. And unlike the theoretical discussions we've had, 
> this guy has gone out and tested existing software ...
> http://online.securityfocus.com/archive/1/297714/2002-10-27/2002-11-02/0
> Gregory Steuck security advisory #1, 2002
> Overview:
>   XXE (Xml eXternal Entity) attack is an attack on an application that
>   parses XML input from untrusted sources using incorrectly configured
>   XML parser. The application may be coerced to open arbitrary files
>   and/or TCP connections.
> Cheers,
> Miles
> -----------------------------------------------------------------
> The xml-dev list is sponsored by XML.org <http://www.xml.org>, an
> initiative of OASIS <http://www.oasis-open.org>
> The list archives are at http://lists.xml.org/archives/xml-dev/
> To subscribe or unsubscribe from this list use the subscription
> manager: <http://lists.xml.org/ob/adm.pl>


Purchasing Stylus Studio from our online shop is Easy, Secure and Value Priced!

Buy Stylus Studio Now

Download The World's Best XML IDE!

Accelerate XML development with our award-winning XML IDE - Download a free trial today!

Don't miss another message! Subscribe to this list today.
First Name
Last Name
Subscribe in XML format
RSS 2.0
Atom 0.3

Stylus Studio has published XML-DEV in RSS and ATOM formats, enabling users to easily subcribe to the list from their preferred news reader application.

Stylus Studio Sponsored Links are added links designed to provide related and additional information to the visitors of this website. they were not included by the author in the initial post. To view the content without the Sponsor Links please click here.

Site Map | Privacy Policy | Terms of Use | Trademarks
Free Stylus Studio XML Training:
W3C Member
Stylus Studio® and DataDirect XQuery ™are products from DataDirect Technologies, is a registered trademark of Progress Software Corporation, in the U.S. and other countries. © 2004-2013 All Rights Reserved.