2018 17:28:34 +0000
From: Keith Breinholt <breinhol...@ldschurch.org>
Subject: Re: [MarkLogic Dev General] Marklogic XXE and XML Bomb
prevention
To: MarkLogic Developer Discussion <general@developer.marklogic.com>
Message-ID:
<sn1pr04mb190429cfb3c02923235f767fb8...@sn1
On Wed, 2018-03-14 at 16:40 -0500, Eliot Kimber wrote:
> Anyway, the original sample doc was (is) valid and the injection can
> be done if you have access to the ML server’s file system and ML has
> read access to a directory you can write to and you can create and
> can run XQuery to load the
<ekim...@contrext.com>
Reply-To: MarkLogic Developer Discussion <general@developer.marklogic.com>
Date: Wednesday, March 14, 2018 at 2:49 PM
To: MarkLogic Developer Discussion <general@developer.marklogic.com>
Subject: Re: [MarkLogic Dev General] Marklogic XXE and XML Bomb preven
Logic Developer Discussion <general@developer.marklogic.com>
Date: Wednesday, March 14, 2018 at 12:07 PM
To: MarkLogic Developer Discussion <general@developer.marklogic.com>
Subject: Re: [MarkLogic Dev General] Marklogic XXE and XML Bomb prevention
Perhaps you could show the code that you
er.marklogic.com<mailto:general-boun...@developer.marklogic.com>
<general-boun...@developer.marklogic.com<mailto:general-boun...@developer.marklogic.com>>
On Behalf Of Marcel de Kleine
Sent: Wednesday, March 14, 2018 6:43 AM
To: general@developer.marklogic.com<mailto:general@d
please share the code you used to
insert this document into a database.
-Keith
From: general-boun...@developer.marklogic.com
<general-boun...@developer.marklogic.com> On Behalf Of Marcel de Kleine
Sent: Wednesday, March 14, 2018 6:43 AM
To: general@developer.marklogic.com
Subject: [MarkLogic Dev
Hello,
We have noticed Marklogic is vulnerable to xxe (entity expansion) and xml bomb
attacks. When loading an malicious document using xdmp:document-insert it won't
catch these and cause either loading of unwanted external documents (xxe) and
lockup of the system (xml bomb).
For example, if
