mailing list archives
Re: Multiple vendors XML parser (and SOAP/WebServices server) Denial of Service attack using DTD
From: Gregory Steuck <greg-fulldisclosure () nest cx>
Date: 17 Dec 2002 11:32:10 -0800
"Amit" == Amit Klein <amit.klein () sanctuminc com> writes:
Amit> Whether you like ot or not, a substantial amount of
Amit> BugTraq advisories are non-doscilsure. This is by no means the
Amit> first one. Full disclosure does not mean spelling out
Amit> exploits for script kiddies.
I don't advocate "0wning t00lz", I advocate providing enough details to
help intelligent programmers to avoid repeating the old mistakes. And
your evaluation of bugtraq seems to match mine, so it is time for those
who seek knowledge to move on. Thank you Georgi, for bringing
full-disclosure to my attention.
>> Uh-oh, turns out it's the way DTD is supposed to work, not an
>> implementation defect.
Amit> First, RTFM: "A SOAP message MUST NOT contain a Document Type
Amit> Declaration" (http://www.w3.org/TR/SOAP/ section 3).
A clarification is in order, I meant to say "not an implementation
defect in XML parser".
Amit> And for the generic XML documents, I believe that it is
Amit> possible to parse the DTD securely.
That's precisely my point: as a developer I need to know what I should
be looking for. Your advisory does not teach me much. It does not tell
me how to use an XML parser safely.
Full-Disclosure - We believe in it.