Nmap Security Scanner
*Intro
*Ref Guide
*Install Guide
*Download
*Changelog
*Book
*Docs
Security Lists
*Nmap Hackers
*Nmap Dev
*Bugtraq
*Full Disclosure
*Pen Test
*Basics
*More
Security Tools
*Pass crackers
*Sniffers
*Vuln Scanners
*Web scanners
*Wireless
*Exploitation
*Packet crafters
*More
Site News
Site Search:
Exploit World
Advertising
About/Contact
Credits
Sponsors:

bugtraq logo Bugtraq mailing list archives

Sun JRE / JDK bug introduces XXE possibilities
From: "Chris Evans" <scarybeasts () gmail com>
Date: Sat, 2 Feb 2008 14:21:13 +0000
Hi,

Now that Sun has fixed this in JDK6u4, I thought this might be of
interest to people:

http://scarybeastsecurity.blogspot.com/

Essentially, one common XXE protection method was broken in the
default XML parser, in JDK6.

In particular, I'm worried about web services (and other server-side
XML accepting technologies) deployed under JDK6. I haven't had time to
look into common web service frameworks and see how they implement XXE
protection. Might be interesting to look into specific technologies
that broke.

Cheers
Chris

  By Date           By Thread  

Current thread:
  • Sun JRE / JDK bug introduces XXE possibilities Chris Evans (Feb 02)
[ Nmap | Sec Tools | Mailing Lists | Site News | About/Contact | Advertising | Privacy ]