[27657] in bugtraq
Re: XXE (Xml eXternal Entity) attack
daemon@ATHENA.MIT.EDU (Miles Sabin)
Wed Oct 30 20:41:03 2002
Content-Type: text/plain;
charset="koi8-r"
From: Miles Sabin <miles@milessabin.com>
To: bugtraq@securityfocus.com, webappsec@securityfocus.com
Date: Wed, 30 Oct 2002 09:15:54 +0000
In-Reply-To: <15807.6253.821402.625857@home.nest.cx>
MIME-Version: 1.0
Content-Transfer-Encoding: 8bit
Message-Id: <200210300915.54337.miles@milessabin.com>
Gregory Steuck wrote,
> Gregory Steuck security advisory #1, 2002
Excellent stuff ... I've posted a link to the bugtraq archive to
xml-dev.
> Acknowledgments:
> Even though the issue was discovered and researched independently I
> cannot claim to be the first one to realize the risks associated
> with XML external entities. E.g. RFC 2518 discusses the issue in
> section 17.7 Implications of XML External Entities.
FWIW, this has been an occasional topic of discussion on xml-dev for the
last couple of years. See here,
http://www.megginson.com/ugly/slides/
http://lists.xml.org/archives/xml-dev/200101/msg00057.html
http://lists.xml.org/archives/xml-dev/200206/msg00240.html
http://lists.xml.org/archives/xml-dev/200206/msg00247.html
http://lists.xml.org/archives/xml-dev/200210/msg01461.html
The xml-dev reaction has by and large been "of course, don't do that",
but xml-dev is a relatively rarified place, so it's nice to seeing this
issue getting wider security related circulation. It's also nice to see
someone not just discussing theoretical attacks, but actually testing
deployed software.
Cheers,
Miles
