• To: <xml-dev@l...>
• Subject: Re: Malicious XML
• From: "Karl Waclawek" <karl@w...>
• Date: Fri, 15 Nov 2002 09:07:02 -0500
• Cc: "Miles Sabin" <miles@m...>
• References: <001f01c28c22$fcd8f990$9e539696@citkwaclaww2k> <001d01c28c49$b0d2c720$0207a8c0@karl> <001a01c28c67$f42b6540$0207a8c0@karl> <200211151018.18512.miles@m...>

> Karl Waclawek wrote,
> > > Anyway, their example uses a really trivial internal subset to bring
> > > down a SOAP server. I wonder if there are more well known XML
> > > examples that can cause a parser to eat up all memory.
> > >
> > > Properly used, Expat is already equipped to handle such situations
> > > since it allows for a pluggable memory handler.
> >
> > Actually, I have to correct myself:
> >
> > In Expat, memory isn't eaten up, just lots of CPU cycles.
> > Same in MSXML4. So a custom memory handler won't work.
> 
> Any chance of some details of just what it is in the internal subset 
> which triggers this behaviour, and how?

According to James Clark it is a reasonably well known XML
vulnerability. I can e-mail you. I am not sure if I should
post it publicly - any comments on that?

Btw, I was able to modify this attack and turn it into
a memory hog as well as a CPU hog.

Karl

• Follow-Ups:
  • Re: Malicious XML
    • From: David Megginson <david@m...>

• References:
  • Malicious XML
    • From: "Karl Waclawek" <karl@w...>
  • Re: Malicious XML
    • From: "Karl Waclawek" <karl@w...>
  • Re: Malicious XML
    • From: "Karl Waclawek" <karl@w...>
  • Re: Malicious XML
    • From: Miles Sabin <miles@m...>

• Prev by Date: RE: more QName madness
• Next by Date: RE: XML/RDF
• Previous by thread: Re: Malicious XML
• Next by thread: Re: Malicious XML
• Index(es):
  • Date
  • Thread