[XML-DEV Mailing List Archive Home] [By Thread] [By Date] [Recent Entries] [Reply To This Message]

Re: Billion laughs hits BugTraq

• To: "Miles Sabin" <miles@m...>,<xml-dev@l...>
• Subject: Re: Billion laughs hits BugTraq
• From: "Karl Waclawek" <karl@w...>
• Date: Mon, 16 Dec 2002 13:26:19 -0500
• References: <200212161805.29857.miles@m...>

> Full advisory here,
> 
>   http://makeashorterlink.com/?Y42112AC2
> 
>   Multiple vendors XML parser (and SOAP/WebServices server)
>   Denial of Service attack using DTD


This was discussed here a few weeks ago.
This DOS attack is possible with any conforming XML parser,
so it is not an issue of the particular implementations mentioned,
but rather a "feature" of XML itself.

Also, the SOAP specs make it a point to *not* allow
a document type declaration within a SOAP message, so conforming
SOAP implementations should not be susceptible to such an attack.

A "fix" would not necessarily involve XML parser implementations,
although we - the Expat team - have discussed adding some features
to make it easier to detect such a "malicious" DTD.

This advisory also does not mention the responses received
from the Expat team.

Looks as if Sanctum inc. http://www.sanctuminc.com/ just issued this
advisory to justify their existence.

Karl

• References:
  • Billion laughs hits BugTraq
    • From: Miles Sabin <miles@m...>

• Prev by Date: RE: nested namespaces
• Next by Date: RE: nested namespaces
• Previous by thread: Billion laughs hits BugTraq
• Next by thread: RE: Sean McGrath hits a home run
• Index(es):
  • Date
  • Thread