- From: Rick Jelliffe <ricko@topologi.com>
- Date: Wed, 30 Oct 2002 21:18:45 +1100
- To: <www-tag@w3.org>
It strikes me that this puts the cart before the horse. The answer is not to ban external entities, it is to allow access control lists as part of entity managers or URL resolvers. It may not be XML's problem to solve. > * DoS on the parsing system by making it open, e.g. > file:///dev/random | file:///dev/urandom | file://c:/con/con ACL can address this. > * TCP scans using HTTP external entities (including behind firewalls > since application servers often have world view different > from that of the attacker) ACL can fix this > * Unauthorized access to data stored as XML files on the parsing > system file system (of course the attacker still needs a way to > get these data back) Err, yes: this is a bit too vague to be credible isn't it. But an ACL system would fix that. > * DoS on other systems (if parsing system is allowed to establish > TCP connections to other systems) ACL would reduce this. > * NTLM authentication material theft by initiating UNC file access to > systems under attacker control (far fetched?) ? > * Doomsday scenario: A widely deployed and highly connected application > vulnerable to this attack may be used for DDoS. ACL can reduce this. An interesting point is that XInclude and other inbody links which are automatically fetched, parsed and embedded are susceptible to some kind of DoS where a resource fetched from a system under attacker control generates a never terminating series of XInclude references, each included document including more documents. At least the prolog fixes the number of entities possible. Cheers Rick Jelliffe
Received on Wednesday, 30 October 2002 05:19:06 UTC