Hello, Is this only an issue when parsing a malformed DTD? Can the problem occur when parsing a malformed Schema file? Can the problem occur when parsing an XML instance file without reference to a validation file?
Thanks, Scott -----Original Message----- From: David N Bertoni/Cambridge/IBM [mailto:[EMAIL PROTECTED] Sent: Thursday, March 06, 2003 1:55 PM To: [EMAIL PROTECTED] Subject: Re: DOS attack via Xerces As of 2.1, you can configure Xerces-C++ to completely ignore the external subset of a DTD when not validating. You can also install an EntityResolver yourself and do that. You could even have a trusted version of the DTD on the server and use that instead of the one specified by the system ID. Internal subsets of DTDs will be harder to control. I think the Xerces team would need more details about such malicious DTDs. Dave Bhavani Ravichandran To: [EMAIL PROTECTED] <[EMAIL PROTECTED] cc: (bcc: David N Bertoni/Cambridge/IBM) > Subject: DOS attack via Xerces 03/06/2003 12:11 PM Please respond to xerces-c-dev Hi, I saw the following DOS security alert in xerces-j-user newsgroup ... I recently received a security alert regarding Xerces XML parsers (see below). We have recently implemented an application that uses Castor, which uses Xerces 1.4.4, to parse XML requests for data. Are there any changes in the works to Xerces to combat this issue? The Xerces XML parser included in multiple vendors' web services products is used to parse XML documents that contain Document Type Definitions (DTD). A remote attacker may configure the attributes of a document or object within a DTD or Simple Object Access Protocol message to cause a denial of service (DoS) attack against web systems running the parser. The malicious DTD sends the parser into an almost infinite loop, which exhausts CPU resources. Is anyone looking/looked into this for xercesc-c++? We are shipping xercesc1.7 parser with our product and would like to incorporate the changes if one is available. Bhavani Ravichandran --------------------------------------------------------------------- To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED] --------------------------------------------------------------------- To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED] --------------------------------------------------------------------- To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED]
