Cart
[Home] [By Thread] [By Date] [Recent Entries]
Yes, I have but I may be missing your point. We've known about external entity retrieval problems since the SGML days. They were a nuisance more than a threat then. Somewhere way back when, this issue was brought up by Newcomb, myself, et al at the dawn of the webUberAlles era. It is pretty obvious to anyone that thinks about linking. Remember, the concept of linkbases is really really old. The wrinkle never seen before was using them for names too. In olden times, one could use a PUBLIC name and it would be non-dereferenceable by design rather than by fiat. I am simply wondering how many other ways it can be exploited using the network if the AnythingImportantIsURINamed and Smart People Prepend HTTP philosophy is followed without understanding that these things are always/whereevertheyarefound dereferenceable. len -----Original Message----- From: Miles Sabin [mailto:miles@m... Bullard, Claude L (Len) wrote, > Yep. However, since packets are sniffable? Umm ... you've not been paying attention, have you ;-) Other than the stuff David mentioned, the external entity attacks I disussed here,
|
