Cart
[Home] [By Thread] [By Date] [Recent Entries]
Eric van der Vlist wrote, > Miles Sabin wrote: > > This is likely to be particularly so in server as opposed to client > > applications: that a server designed to only _consume_ incoming > > documents might be tricked into making outgoing requests to > > arbitrary hosts is probably completely unexpected. > > Yes, that's a fascinating and frightening perspective, but isn't it > the case also with any HTML document which can instruct a browser to > do many outgoing requests to fetch images, stylesheets, scripts and > other objects? Yes it is, but it's now pretty widely understood that HTML (with or without embedded scripts or objects) can be dangerous on the client. I don't think there's the same understanding of vulnerabilities on the server side: if you POST and HTML document to a server you wouldn't normally expect it to attempt to retrieve images or execute embedded scripts or objects. OTOH, with an XML POST to a validating XML processor, retrieval of referenced external enities is precisely what's going to happen in many cases. Cheers, Miles
|
