ietf-mxcomp
[Top] [All Lists]
<prev [Date] next>
[Advanced]
 <prev [Thread] next>

XML exploits

2004-06-15 11:26:23
from [wayne] [Permanent Link] 



In the overtime part of the Jabber session yesterday, Andy asked a
good question:

    Has anybody ever known of an exploit that targeted a vulnerability
    in the XML spec?

When no one answered, Jim Lyon responded " Andy, you should take that
as a resounding no."


Now there is a problem here folks.  When I first started getting
interested in designated sender systems (before SPF was even started),
I investigated the security issues of DNS, IP spoofing and SMTP.  I've
investigated them several times since then.  There *are* problems of
various forms will all of those systems, but none that I think are
critical to SPF.  However, I could easily have answered questions
similar to what Andy asked about the proposals I'm involved in.

Now, a quick check of bugtraq finds the following XML related
problems:


Microsoft Internet Explorer XML Parsing Denial Of Service
Vulnerability
remote  Yes
published       May 10, 2004
http://www.securityfocus.com/bid/10318

This is *exactly* the type of problem that mail admins are to justify
not wanting anything to do with XML on their mail servers.  They are
already under enough DoS attacks, thank you very much.


Multiple Vendor XML DTD Parameter Entity SOAP Server Denial Of Service
Vulnerability
remote  Yes
published       Dec 11, 2003


Microsoft Internet Explorer XML Object Zone Restriction Bypass
Vulnerability
remote  Yes
published       Nov 11, 2003


Sun Java XML Document Nested Entity Denial Of Service Vulnerability
remote  No
published       Sep 22, 2003



The list goes on, and that is only the very first source that I
checked.

Ok, now, I'm bothered.  Why didn't Jim or Harry immediately mention
such known security with XML.   Yes, they are likely not problems any
longer, but then neither are the DNS/IP-spoofing/SMTP problems that I
can name.


I've never claimed to be an XML expert.  When I ask questions about
it, I do so in order to learn about stuff.  Stuff that I think is
important to know.

Ok, for those who know more about XML than I do, can you give me an
example of where XML has been put into as hostile an environment as
anti-forgery/phishing SMTP?  Where so many different platforms will
need to be able to safely deal with XML documents from malicious
users?


-wayne
[More with this subject...]
<Prev in Thread] Current Thread [Next in Thread>
Previous by Date:  Re: rough consensus and working code, william(at)elan.net
Next by Date:  Re: rough consensus and working code, Rand Wacker
Previous by Thread:  FTC says no do-not-email until there's authentication, John Levine
Next by Thread:  Re: XML exploits, Marshall Rose
Indexes:  [Date] [Thread] [Top] [All Lists]