Bugtraq: Re: XXE (Xml eXternal Entity) attack

Bugtraq mailing list archives

Re: XXE (Xml eXternal Entity) attack

From: Miles Sabin <miles () milessabin com>
Date: Wed, 30 Oct 2002 09:15:54 +0000

Gregory Steuck wrote,

Gregory Steuck security advisory #1, 2002


Excellent stuff ... I've posted a link to the bugtraq archive to 
xml-dev.

Acknowledgments:
Even though the issue was discovered and researched independently I
cannot claim to be the first one to realize the risks associated
with XML external entities. E.g. RFC 2518 discusses the issue in
section 17.7 Implications of XML External Entities.


FWIW, this has been an occasional topic of discussion on xml-dev for the 
last couple of years. See here,

  http://www.megginson.com/ugly/slides/
  http://lists.xml.org/archives/xml-dev/200101/msg00057.html
  http://lists.xml.org/archives/xml-dev/200206/msg00240.html
  http://lists.xml.org/archives/xml-dev/200206/msg00247.html
  http://lists.xml.org/archives/xml-dev/200210/msg01461.html

The xml-dev reaction has by and large been "of course, don't do that", 
but xml-dev is a relatively rarified place, so it's nice to seeing this 
issue getting wider security related circulation. It's also nice to see 
someone not just discussing theoretical attacks, but actually testing 
deployed software.

Cheers,


Miles

By Date By Thread

Current thread:

XXE (Xml eXternal Entity) attack Gregory Steuck (Oct 30)
- Re: XXE (Xml eXternal Entity) attack Miles Sabin (Oct 30)