XML Editor - Download a Free Trial >
See What's New >
Buy Now >

[XML-DEV Mailing List Archive Home] [By Thread] [By Date] [Recent Entries] [Reply To This Message]

Re: XInclude: security risk 1

mozilla xinclude
Play the video
>On reflection, I think XInclude's security issues are really just a
>subset of those that browsers have with XSLT, or at least are solvable
>in the same way.  XSLT allows you to fetch data from a local file
>using document("file:///whatever") and even allows you to pass out
>that information as part of a URL in another document() call.

You're right. That does sound like another security hole, and 
possibly worse. It also had not occurred to me that you might 
XInclude a file URL. That opens up some more holes.

>I checked what Mozilla does in this case, and it appears to refuse
>to fetch a file: URL from a document() call in a remote stylesheet.

Which raises the questions:

1. What does IE6 do?
2. What does Mozilla do when faced with an http URL in the document() 
function that points to a host other than the document base?

The XSLT issue is potentially worse because you could use XSLT to 
actually include the contents of the stolen XML document in the URL 
you passed back to the hacker's server. It is somewhat (though far 
from completely) mitigated by the fact that the document() function 
can only point to well-formed XML documents so it can't steal 
absolutely any file or URL.
-- 

+-----------------------+------------------------+-------------------+
| Elliotte Rusty Harold | elharo@m... | Writer/Programmer |
+-----------------------+------------------------+-------------------+
|          XML in a  Nutshell, 2nd Edition (O'Reilly, 2002)          |
|              http://www.cafeconleche.org/books/xian2/              |
|  http://www.amazon.com/exec/obidos/ISBN%3D0596002920/cafeaulaitA/  |
+----------------------------------+---------------------------------+
|  Read Cafe au Lait for Java News:  http://www.cafeaulait.org/      |
|  Read Cafe con Leche for XML News: http://www.cafeconleche.org/    |
+----------------------------------+---------------------------------+

PURCHASE STYLUS STUDIO ONLINE TODAY!

Purchasing Stylus Studio from our online shop is Easy, Secure and Value Priced!

Buy Stylus Studio Now

Download The World's Best XML IDE!

Accelerate XML development with our award-winning XML IDE - Download a free trial today!

Don't miss another message! Subscribe to this list today.
Email
First Name
Last Name
Company
Subscribe in XML format
RSS 2.0
Atom 0.3
 

Stylus Studio has published XML-DEV in RSS and ATOM formats, enabling users to easily subcribe to the list from their preferred news reader application.


Stylus Studio Sponsored Links are added links designed to provide related and additional information to the visitors of this website. they were not included by the author in the initial post. To view the content without the Sponsor Links please click here.

XML Editor - Download a 15 Day Free Trial Now >
See What's New in Stylus Studio >
Buy Stylus Studio - XML Editor - Now >
Site Map | Privacy Policy | Terms of Use | Trademarks
Free Stylus Studio XML Training:
W3C Member
Stylus Studio® and DataDirect XQuery ™are products from DataDirect Technologies, is a registered trademark of Progress Software Corporation, in the U.S. and other countries. © 2004-2013 All Rights Reserved.