You are viewing a plain text version of this content. The canonical link for it is here.

Posted to java-user@axis.apache.org by insoo lee <in...@netwizers.com> on 2004/05/21 03:51:05 UTC

security vulnerability with DTD/Axis?


Could you please let me know if following security issue has been resolved?

http://xmlfr.org/cache/0014.html


Thanks much.
Insoo

>>>

=> Summary: Using the DTD part of the XML document, it is possible to cause the
XML parser to consume 100% CPU and/or a lot of memory, therefore resulting in
a denial of service condition.

=> Description: The DTD part of the XML document enables the document to define
named entities (other than the predefined &lt;, &gt;, etc.). The entities can be
defined using other entities (recursion is prohibited in XML 1.0).
Entities are expanded when they are referenced, inside the XML document.
The attack is comprised of defining and referencing an entity which is defined
using two instances of another entity, which is (in turn) defined as two instances
of yet another entity, and so on. This definition process can be repeated as long
as "necessary" - we found that nesting level of 100 is usually sufficient.
The 100th entity should be defined simply as a string. This has the effect of having
the first entity contain, in theory, 2^99 (two to the power of ninety nine)
concatenated values of the 100th entity.
Here's an example (the DTD is to be placed after the XML declaration, and before the
root element of the XML document):

Re: security vulnerability with DTD/Axis?

Posted by Davanum Srinivas <da...@gmail.com>.

yep.

On Thu, 20 May 2004 21:51:05 -0400, insoo lee <in...@netwizers.com> wrote:
> 
> 
> 
> Could you please let me know if following security issue has been resolved?
> 
> http://xmlfr.org/cache/0014.html
> 
> Thanks much.
> Insoo
> 
> >>>
> 
> => Summary: Using the DTD part of the XML document, it is possible to cause the
> XML parser to consume 100% CPU and/or a lot of memory, therefore resulting in
> a denial of service condition.
> 
> => Description: The DTD part of the XML document enables the document to define
> named entities (other than the predefined &lt;, &gt;, etc.). The entities can be
> defined using other entities (recursion is prohibited in XML 1.0).
> Entities are expanded when they are referenced, inside the XML document.
> The attack is comprised of defining and referencing an entity which is defined
> using two instances of another entity, which is (in turn) defined as two instances
> of yet another entity, and so on. This definition process can be repeated as long
> as "necessary" - we found that nesting level of 100 is usually sufficient.
> The 100th entity should be defined simply as a string. This has the effect of having
> the first entity contain, in theory, 2^99 (two to the power of ninety nine)
> concatenated values of the 100th entity.
> Here's an example (the DTD is to be placed after the XML declaration, and before the
> root element of the XML document):
> 
>