- From: Dare Obasanjo <dareo@microsoft.com>
- Date: Wed, 30 Oct 2002 09:08:27 -0800
- To: "Miles Sabin" <miles@milessabin.com>, <www-tag@w3.org>
Why do you think this is a TAG issue? Even if it was a TAG issue, you
proposed recommendation misses the point. The security issue is that
clients should not attempt to retrieve data from URIs when directed to
do so by untrusted sources regardless of whether the retrieval directive
is via external entities, stylesheet PIs, XInclude, xsi:schemaLocation
or whatever.
I'm not sure what namespace URIs have to do with anything.
PS: I believe that XML Web Service implementations (or at least those
that use SOAP) aren't supposed to support DTDs so this specific attack
is not an architectural issue for them.
--
PITHY WORDS OF WISDOM
When in doubt, ignore it.
This posting is provided "AS IS" with no warranties, and confers no
rights.
>
>
> -----Original Message-----
> From: Miles Sabin [mailto:miles@milessabin.com]
> Sent: Wednesday, October 30, 2002 1:27 AM
> To: www-tag@w3.org
>
>
> As seen on BugTraq,
>
> http://online.securityfocus.com/archive/1/297714/2002-10-27/20
02-11-02/0
Gregory Steuck security advisory #1, 2002
Overview:
XXE (Xml eXternal Entity) attack is an attack on an application that
parses XML input from untrusted sources using incorrectly configured
XML parser. The application may be coerced to open arbitrary files
and/or TCP connections.
I doubt that this is news to anyone on this list, but even so, I think
there's definitely scope for a BCP: Don't retrieve external entities (or
resources identified by namespace URIs) unless you have to, and then
only if you trust the source (and probably the target as well) of the
URI.
FWIW, this isn't completely unrelated to Larry's "http URIs as names and
scalability".
Cheers,
Miles
Received on Wednesday, 30 October 2002 12:08:59 UTC