Stories
Slash Boxes
Comments
NOTE: use Perl; is on undef hiatus. You can read content, but you can't post it. More info will be forthcoming forthcomingly.

All the Perl that's Practical to Extract and Report

use Perl Log In

Log In

[ Create a new account ]

rjray (1649)

rjray
  (email not shown publicly)
http://www.rjray.org/
AOL IM: rjrayperl (Add Buddy, Send Message)
Yahoo! ID: rjray_perl (Add User, Send Message)
Jabber: rjray@jabber.org

Journal of rjray (1649)

Wednesday October 30, 2002
12:27 AM

Important Security Notice (re: RPC::XML)

[ #8676 ]

The previous journal entry (one of my auto-announcements) heralds a release of my RPC::XML package that is going out to pre-emptively address a potential security vulnerability. If you use the package, you really should install this newer version.

As it was explained to me, XML-enabled applications that use parsers (such as XML::Parser) which attempt to resolve external entities can be subverted by sending a document with a carefully-constructed DTD that can cause the service or application to attempt to access files or make Internet connections that the developer of the service had not planned on. The person who brought it to my attention will be sending a formal description to relevant security watchdog groups.

The Fine Print: The following comments are owned by whoever posted them. We are not responsible for them in any way.
 Full
 Abbreviated
 Hidden
More | Login | Reply
Loading... please wait.
  • This is old old news. I first thought about this when I was developing my first XML applications back in 1998. I think we probably talked about it on the perl-xml list back then, but I don't recall - it's a long time!

    Anyway, I guess the issue is still a relatively minor security issue for most systems. I can see it being mainly a "discovery" mechanism, rather than an exploitation mechanism. You might conceivably be able to get some system to send back an error in the case of invalid content, which contains
    • I had been under the (misguided) impression that entity resolution and validation were somehow linked, and that not providing the one (validation) meant you weren't doing the other.

      It was a simple-enough fix, but since my server classes proudly identify themselves in headers, I didn't want anyone being left vulnerable.

      --

      --rjray