Re: Possible issue: XXE (Xml eXternal Entity) attack

It strikes me that this puts the cart before the horse.  The answer is not to ban 
external entities, it is to allow access control lists as part of entity managers
or URL resolvers. It may not be XML's problem to solve. 

> * DoS on the parsing system by making it open, e.g.
>   file:///dev/random | file:///dev/urandom | file://c:/con/con

ACL can address this.

> * TCP scans using HTTP external entities (including behind firewalls
>   since application servers often have world view different
>   from that of the attacker)

ACL can fix this

> * Unauthorized access to data stored as XML files on the parsing
>   system file system (of course the attacker still needs a way to
>   get these data back)

Err, yes: this is a bit too vague to be credible isn't it. But an ACL system
would fix that.

>  * DoS on other systems (if parsing system is allowed to establish
>   TCP connections to other systems)

ACL would reduce this.  

> * NTLM authentication material theft by initiating UNC file access to
>   systems under attacker control (far fetched?)

?

> * Doomsday scenario: A widely deployed and highly connected application
>   vulnerable to this attack may be used for DDoS.

ACL can reduce this. 

An interesting point is that XInclude and other inbody links which are automatically
fetched, parsed and embedded are susceptible to some kind of DoS where 
a resource fetched from a system under attacker control generates a never 
terminating series of XInclude references, each included document including
more documents.  At least the prolog fixes the number of entities possible.

Cheers
Rick Jelliffe

Received on Wednesday, 30 October 2002 05:19:06 UTC