Home page logo

fulldisclosure logo Full Disclosure mailing list archives

RE: Multiple vendors XML parser (and SOAP/WebServices server) Den ial of Service attack using DTD
From: Amit Klein <amit.klein () sanctuminc com>
Date: Tue, 17 Dec 2002 01:42:33 -0800

It's posts like
this one that make Bugtraq a cheap brand name peddling place.

Wake up. Whether you like ot or not, a substantial amount of BugTraq
advisories are non-doscilsure. This is by no means the first one.
Full disclosure does not mean spelling out exploits for script kiddies. At
the end of the day, the products became secure (due to patches
offered by the vendors), and that's what counts.

    Amit>  - Other products from other vendors are known to be
    Amit> vulnerable too

Perfect, and since we are not told what the vulnerability is, we are
left vulnerable without any way to find out where the problem lies.

The vendors not listed are ones that were not contacted directly by me.
These vendors did not contact me, and I have no information 
regarding their status with this vulnerability. As such, I did not include
them in my advisory. If you use a product from such vendor, you
should probably ask your vendor some questions.

Uh-oh, turns out it's the way DTD is supposed to work, not an
implementation defect.

First, RTFM: "A SOAP message MUST NOT contain a Document Type Declaration"
(http://www.w3.org/TR/SOAP/ section 3). 
And for the generic XML documents, I believe that it is possible to parse 
the DTD securely. The fact that the DTD allows you to do something does not
mean that it is secure to do it. 
For example, the DTD allows you to define external entities, yet these
clearly pose a security problem.


  By Date           By Thread  

Current thread:
[ Nmap | Sec Tools | Mailing Lists | Site News | About/Contact | Advertising | Privacy ]