As of 2.1, you can configure Xerces-C++ to completely ignore the external
subset of a DTD when not validating. You can also install an
EntityResolver yourself and do that. You could even have a trusted version
of the DTD on the server and use that instead of the one specified by the
system ID.
Internal subsets of DTDs will be harder to control. I think the Xerces
team would need more details about such malicious DTDs.
Dave
Bhavani
Ravichandran To: [EMAIL PROTECTED]
<[EMAIL PROTECTED] cc: (bcc: David N
Bertoni/Cambridge/IBM)
> Subject: DOS attack via Xerces
03/06/2003 12:11
PM
Please respond
to xerces-c-dev
Hi,
I saw the following DOS security alert in xerces-j-user newsgroup
...
I recently received a security alert regarding Xerces XML parsers (see
below). We have recently implemented an application that uses Castor, which
uses Xerces 1.4.4, to parse XML requests for data. Are there any changes in
the works to Xerces to combat this issue?
The Xerces XML parser included in multiple vendors' web services products
is used to parse XML documents that contain Document Type Definitions
(DTD). A remote attacker may configure the attributes of a document or
object within a DTD or Simple Object Access Protocol message to cause a
denial of service (DoS) attack against web systems running the parser.
The malicious DTD sends the parser into an almost infinite loop, which
exhausts CPU resources.
Is anyone looking/looked into this for xercesc-c++? We are shipping
xercesc1.7 parser with our
product and would like to incorporate the changes if one is available.
Bhavani Ravichandran
---------------------------------------------------------------------
To unsubscribe, e-mail: [EMAIL PROTECTED]
For additional commands, e-mail: [EMAIL PROTECTED]
---------------------------------------------------------------------
To unsubscribe, e-mail: [EMAIL PROTECTED]
For additional commands, e-mail: [EMAIL PROTECTED]
