You are viewing a plain text version of this content. The canonical link for it is here.
Posted to j-users@xerces.apache.org by Ro...@us.hsbc.Com on 2002/12/12 21:37:02 UTC
Dos Attack via Xerces
I recently received a security alert regarding Xerces XML parsers (see
below). We have recently implemented an application that uses Castor, which
uses Xerces 1.4.4, to parse XML requests for data. Are there any changes in
the works to Xerces to combat this issue?
The Xerces XML parser included in multiple vendors' web services products
is used to parse XML documents that contain Document Type Definitions
(DTD). A remote attacker may configure the attributes of a document or
object within a DTD or Simple Object Access Protocol message to cause a
denial of service (DoS) attack against web systems running the parser.
The malicious DTD sends the parser into an almost infinite loop, which
exhausts CPU resources.
************************************************************************
This E-mail is confidential. It may also be legally privileged. If you
are not the addressee you may not copy, forward, disclose or use any
part of it. If you have received this message in error, please delete
it and all copies from your system and notify the sender immediately
by return E-mail.
Internet communications cannot be guaranteed to be timely, secure,
error or virus-free. The sender does not accept liability for any
errors or omissions.
************************************************************************
---------------------------------------------------------------------
To unsubscribe, e-mail: xerces-j-user-unsubscribe@xml.apache.org
For additional commands, e-mail: xerces-j-user-help@xml.apache.org
Re: Dos Attack via Xerces
Posted by Joseph Kesselman <ke...@us.ibm.com>.
See recent discussion in the developers' list; several possible approaches
have been proposed, with some discussion of their
practicality/desirability.
______________________________________
Joe Kesselman / IBM Research
---------------------------------------------------------------------
To unsubscribe, e-mail: xerces-j-user-unsubscribe@xml.apache.org
For additional commands, e-mail: xerces-j-user-help@xml.apache.org