Re: Entities can execute system level commands?

From: Michael Kay <mike@saxonica.com>
To: xml-dev@lists.xml.org
Date: Mon, 19 Jul 2010 15:37:09 +0100

Play the video

It's like the warning "may contain traces of nuts" that are found on all 
food products. They're just covering themselves. Or scaremongering 
(remember that security folks are as likely to say "there are no 
security risks" as lawyers are to say "this draft contract is perfectly 
OK and needs no changes").

Michael Kay
Saxonica

On 19/07/2010 14:08, Costello, Roger L. wrote:
> Hi Folks,
>
> The RFC on XML Media Types (RFC2376) says this in the section on Security Considerations:
>
>     XML entities contain
>     information to be parsed and processed by the recipient's XML system.
>     These entities may contain and such systems may permit explicit
>     system level commands to be executed while processing the data.  To
>     the extent that an XML system will execute arbitrary command strings,
>     recipients of XML entities may be at risk. In general, it may be
>     possible to specify commands that perform unauthorized file
>     operations ...
>
> Yikes!
>
> How can the use of an entity result in "explicit system level commands to be executed while processing the data"?
>
> For example, here is an XML document that contains an external entity reference:
>
> <?xml version="1.0"?>
> <!DOCTYPE BookCatalogue [
>      <!ENTITY Book SYSTEM "Book.xml">
> ]>
> <BookCatalogue>
>          &Book;
>          <Book>
>                  <Title>Illusions The Adventures of a Reluctant Messiah</Title>
>                  <Author>Richard Bach</Author>
>                  <Date>1977</Date>
>                  <ISBN>0-440-34319-4</ISBN>
>                  <Publisher>Dell Publishing Co.</Publisher>
>          </Book>
>          <Book>
>                  <Title>The First and Last Freedom</Title>
>                  <Author>J. Krishnamurti</Author>
>                  <Date>1954</Date>
>                  <ISBN>0-06-064831-7</ISBN>
>                  <Publisher>Harper&amp; Row</Publisher>
>          </Book>
> </BookCatalogue>
>
> How can this entity execute system level commands?
>
> /Roger
>
> See Section 4 of RFC2376: http://www.ietf.org/rfc/rfc2376.txt
>
> _______________________________________________________________________
>
> XML-DEV is a publicly archived, unmoderated list hosted by OASIS
> to support XML implementation and development. To minimize
> spam in the archives, you must subscribe before posting.
>
> [Un]Subscribe/change address: http://www.oasis-open.org/mlmanage/
> Or unsubscribe: xml-dev-unsubscribe@lists.xml.org
> subscribe: xml-dev-subscribe@lists.xml.org
> List archive: http://lists.xml.org/archives/xml-dev/
> List Guidelines: http://www.oasis-open.org/maillists/guidelines.php
>
>
>

References:
- Entities can execute system level commands?
  - From: "Costello, Roger L." <costello@mitre.org>

[Date Prev] | [Thread Prev] | [Thread Next] | [Date Next] -- [Date Index] | [Thread Index]

PURCHASE STYLUS STUDIO ONLINE TODAY!

Purchasing Stylus Studio from our online shop is Easy, Secure and Value Priced!

Download The World's Best XML IDE!

Accelerate XML development with our award-winning XML IDE - Download a free trial today!

Subscribe in XML format

RSS 2.0
Atom 0.3

Stylus Studio has published XML-DEV in RSS and ATOM formats, enabling users to easily subcribe to the list from their preferred news reader application.

Stylus Studio Sponsored Links are added links designed to provide related and additional information to the visitors of this website. they were not included by the author in the initial post. To view the content without the Sponsor Links please click here.

XML Editor - Download a 15 Day Free Trial Now >

See What's New in Stylus Studio >

Buy Stylus Studio - XML Editor - Now >