Stories
Slash Boxes
Comments

NOTE: use Perl; is on undef hiatus. You can read content, but you can't post it. More info will be forthcoming forthcomingly.

use Perl

All the Perl that's Practical to Extract and Report

Important Security Notice (re: RPC::XML) More | Login | Reply

The Fine Print: The following comments are owned by whoever posted them. We are not responsible for them in any way.

Without JavaScript enabled, you might want to use the classic discussion system instead. If you login, you can remember this preference.

Old news (Score:2)

by Matts (1087)

This is old old news. I first thought about this when I was developing my first XML applications back in 1998. I think we probably talked about it on the perl-xml list back then, but I don't recall - it's a long time!

Anyway, I guess the issue is still a relatively minor security issue for most systems. I can see it being mainly a "discovery" mechanism, rather than an exploitation mechanism. You might conceivably be able to get some system to send back an error in the case of invalid content, which contains
- Re:Old news (Score:2)
  
  by rjray (1649)
  
  I had been under the (misguided) impression that entity resolution and validation were somehow linked, and that not providing the one (validation) meant you weren't doing the other.
  
  It was a simple-enough fix, but since my server classes proudly identify themselves in headers, I didn't want anyone being left vulnerable.
  
  --
  --rjray

Get More Comments

Stories, comments, journals, and other submissions on use Perl; are Copyright 1998-2006, their respective owners.