Re: Seen on BugTraq: XXE (Xml eXternal Entity) attack

Cart

XML Editor - Download a Free Trial >

See What's New >

Buy Now >

[Home] [By Thread] [By Date] [Recent Entries]

To: xml-dev@l...
Subject: Re: Seen on BugTraq: XXE (Xml eXternal Entity) attack
From: Miles Sabin <miles@m...>
Date: Wed, 30 Oct 2002 10:20:58 +0000
In-reply-to: <01ad01c27ffb$9aa10d40$4bc8a8c0@A...>
References: <200210300905.44376.miles@m...> <01ad01c27ffb$9aa10d40$4bc8a8c0@A...>

Rick Jelliffe wrote,
> > * Unauthorized access to data stored as XML files on the parsing
> >   system file system (of course the attacker still needs a way to
> >   get these data back)
>
> Err, yes: this is a bit too vague to be credible isn't it.

I sketched a scenario here,

  http://lists.xml.org/archives/xml-dev/200206/msg00247.html

(see towards the middle, "unexpected information disclosure"). Maybe 
still a bit vague, and highly dependent on the functionality of the 
receiving application ... but I think the possibility is credible 
enough.

Cheers,


Miles

References:
- Seen on BugTraq: XXE (Xml eXternal Entity) attack
  - From: Miles Sabin <miles@m...>
- Re: Seen on BugTraq: XXE (Xml eXternal Entity) attack
  - From: "Rick Jelliffe" <ricko@a...>

Prev by Date: Re: Seen on BugTraq: XXE (Xml eXternal Entity) attack
Next by Date: Re: XML Object Serialization
Previous by thread: Re: Seen on BugTraq: XXE (Xml eXternal Entity) attack
Next by thread: Internationalising Regular Expressions
Index(es):
- Date
- Thread

XML Editor - Download a 15 Day Free Trial Now >

See What's New in Stylus Studio >

Buy Stylus Studio - XML Editor - Now >