• To: <xml-dev@l...>
• Subject: Re: Malicious XML
• From: David Megginson <david@m...>
• Date: Fri, 15 Nov 2002 09:41:24 -0500
• In-reply-to: <002501c28cb0$46c31d00$9e539696@citkwaclaww2k>
• References: <001f01c28c22$fcd8f990$9e539696@citkwaclaww2k><001d01c28c49$b0d2c720$0207a8c0@karl><001a01c28c67$f42b6540$0207a8c0@karl><200211151018.18512.miles@m...><002501c28cb0$46c31d00$9e539696@citkwaclaww2k>

Karl Waclawek writes:

 > According to James Clark it is a reasonably well known XML
 > vulnerability. I can e-mail you. I am not sure if I should
 > post it publicly - any comments on that?

[note: I've seen it by private mail]

Yes, you should post it publicly, for two reasons:

1. People cannot protect themselves against what they don't know.

2. There's very little XML flowing outside the firewall (virtually nil
   in Web terms), so there's not much for a script kiddie to attack.

I suppose we need to consider XML-aware Web browsers like MSIE, but
you hardly need a sophisticated attack to crash those anyway.


All the best,


DAvid

-- 
David Megginson, david@m..., http://www.megginson.com/

• References:
  • Malicious XML
    • From: "Karl Waclawek" <karl@w...>
  • Re: Malicious XML
    • From: "Karl Waclawek" <karl@w...>
  • Re: Malicious XML
    • From: "Karl Waclawek" <karl@w...>
  • Re: Malicious XML
    • From: Miles Sabin <miles@m...>
  • Re: Malicious XML
    • From: "Karl Waclawek" <karl@w...>

• Prev by Date: RE: dtds, schemas, xhtml, and multimedia technologies
• Next by Date: Re: Malicious XML
• Previous by thread: Re: Malicious XML
• Next by thread: Re: Malicious XML
• Index(es):
  • Date
  • Thread