Re: Possible issue: XXE (Xml eXternal Entity) attack from Chris Lilley on 2002-10-30 (www-tag@w3.org from October 2002)

From: Chris Lilley <chris@w3.org>
Date: Wed, 30 Oct 2002 21:30:35 +0100
To: www-tag@w3.org, Miles Sabin <miles@milessabin.com>
Message-ID: <1763509781.20021030213035@w3.org>

On Wednesday, October 30, 2002, 10:26:34 AM, Miles wrote:


MS> As seen on BugTraq,

MS> http://online.securityfocus.com/archive/1/297714/2002-10-27/2002-11-02/0

MS>   Gregory Steuck security advisory #1, 2002

MS>   Overview:
MS>     XXE (Xml eXternal Entity) attack is an attack on an application that
MS>     parses XML input from untrusted sources using incorrectly configured
MS>     XML parser. The application may be coerced to open arbitrary files
MS>     and/or TCP connections.

MS> I doubt that this is news to anyone on this list, but even so, I think 
MS> there's definitely scope for a BCP: Don't retrieve external entities 
MS> (or resources identified by namespace URIs) unless you have to, and 
MS> then only if you trust the source (and probably the target as well) of 
MS> the URI.

How is that different from html pages that link to external images
that the browser may be 'coerced' to open?



-- 
 Chris                            mailto:chris@w3.org

Received on Wednesday, 30 October 2002 15:30:36 UTC