You are viewing a plain text version of this content. The canonical link for it is here.
Posted to c-dev@xerces.apache.org by Dirk-Willem van Gulik <di...@webweaving.org> on 2003/03/10 19:36:40 UTC
RE: DOS attack via Xerces (fwd)
Was there ever an xml security team set up ?
Dw.
---------- Forwarded message ----------
Date: Mon, 10 Mar 2003 13:22:36 -0500
From: neilg@ca.ibm.com
Reply-To: xerces-c-dev@xml.apache.org
To: xerces-c-dev@xml.apache.org
Subject: RE: DOS attack via Xerces
Hi Scott,
Since I was one of the primary people who worked on proofing Xerces-J
against these exploits, I have a pretty good idea what they're about. I'm
sure a somewhat similar approach could be adopted for Xerces-C.
Until this is fixed, though, I don't think it's a good idea to discuss
precisely how these DOS attacks would be launched on a public--let alone a
publicly-archived!--mailing list. If we were to do so, then any hacker who
could determine that Xerces-C was operating on a system and who could feed
it a document could bring the system down (or at least cause it significant
problems).
So, for the moment, I'll only provide details privately to interested
folks.
Cheers,
Neil
Neil Graham
XML Parser Development
IBM Toronto Lab
Phone: 905-413-3519, T/L 969-3519
E-mail: neilg@ca.ibm.com
|---------+---------------------------->
| | "Gordon, M Scott |
| | (US SSA)" |
| | <m.gordon@baesyst|
| | ems.com> |
| | |
| | 03/10/2003 12:55 |
| | PM |
| | Please respond to|
| | xerces-c-dev |
| | |
|---------+---------------------------->
>---------------------------------------------------------------------------------------------------------------------------------------------|
| |
| To: <xe...@xml.apache.org> |
| cc: "Gordon, M Scott (US SSA)" <m....@baesystems.com> |
| Subject: RE: DOS attack via Xerces |
| |
| |
>---------------------------------------------------------------------------------------------------------------------------------------------|
Hello,
Is this only an issue when parsing a malformed DTD? Can the problem
occur when parsing a malformed Schema file? Can the problem occur when
parsing an XML instance file without reference to a validation file?
Thanks,
Scott
-----Original Message-----
From: David N Bertoni/Cambridge/IBM [mailto:david_n_bertoni@us.ibm.com]
Sent: Thursday, March 06, 2003 1:55 PM
To: xerces-c-dev@xml.apache.org
Subject: Re: DOS attack via Xerces
As of 2.1, you can configure Xerces-C++ to completely ignore the
external
subset of a DTD when not validating. You can also install an
EntityResolver yourself and do that. You could even have a trusted
version
of the DTD on the server and use that instead of the one specified by
the
system ID.
Internal subsets of DTDs will be harder to control. I think the Xerces
team would need more details about such malicious DTDs.
Dave
Bhavani
Ravichandran To:
xerces-c-dev@xml.apache.org
<bhavani@bea.com cc: (bcc: David N
Bertoni/Cambridge/IBM)
> Subject: DOS attack via
Xerces
03/06/2003 12:11
PM
Please respond
to xerces-c-dev
Hi,
I saw the following DOS security alert in xerces-j-user newsgroup
...
I recently received a security alert regarding Xerces XML parsers (see
below). We have recently implemented an application that uses Castor,
which
uses Xerces 1.4.4, to parse XML requests for data. Are there any changes
in
the works to Xerces to combat this issue?
The Xerces XML parser included in multiple vendors' web services
products
is used to parse XML documents that contain Document Type Definitions
(DTD). A remote attacker may configure the attributes of a document or
object within a DTD or Simple Object Access Protocol message to cause a
denial of service (DoS) attack against web systems running the parser.
The malicious DTD sends the parser into an almost infinite loop, which
exhausts CPU resources.
Is anyone looking/looked into this for xercesc-c++? We are shipping
xercesc1.7 parser with our
product and would like to incorporate the changes if one is available.
Bhavani Ravichandran
---------------------------------------------------------------------
To unsubscribe, e-mail: xerces-c-dev-unsubscribe@xml.apache.org
For additional commands, e-mail: xerces-c-dev-help@xml.apache.org
---------------------------------------------------------------------
To unsubscribe, e-mail: xerces-c-dev-unsubscribe@xml.apache.org
For additional commands, e-mail: xerces-c-dev-help@xml.apache.org
---------------------------------------------------------------------
To unsubscribe, e-mail: xerces-c-dev-unsubscribe@xml.apache.org
For additional commands, e-mail: xerces-c-dev-help@xml.apache.org
---------------------------------------------------------------------
To unsubscribe, e-mail: xerces-c-dev-unsubscribe@xml.apache.org
For additional commands, e-mail: xerces-c-dev-help@xml.apache.org
---------------------------------------------------------------------
To unsubscribe, e-mail: xerces-c-dev-unsubscribe@xml.apache.org
For additional commands, e-mail: xerces-c-dev-help@xml.apache.org