- From: Miles Sabin <miles@milessabin.com>
- Date: Wed, 30 Oct 2002 09:26:34 +0000
- To: www-tag@w3.org
As seen on BugTraq,
http://online.securityfocus.com/archive/1/297714/2002-10-27/2002-11-02/0
Gregory Steuck security advisory #1, 2002
Overview:
XXE (Xml eXternal Entity) attack is an attack on an application that
parses XML input from untrusted sources using incorrectly configured
XML parser. The application may be coerced to open arbitrary files
and/or TCP connections.
I doubt that this is news to anyone on this list, but even so, I think
there's definitely scope for a BCP: Don't retrieve external entities
(or resources identified by namespace URIs) unless you have to, and
then only if you trust the source (and probably the target as well) of
the URI.
FWIW, this isn't completely unrelated to Larry's "http URIs as names and
scalability".
Cheers,
Miles
Received on Wednesday, 30 October 2002 04:27:07 UTC