Hi Robert,
In Xerces2 CVS, a feature has been implemented called
http://apache.org/xml/features/disallow-doctype-decl
which, when set to true by an application, causes Xerces to emit an error
upon detection of a doctype and refuse to process the document. The DOS in
question involves entities, which--naturally--can't be declared outside of
a DTD; hence, for applications like SOAP processors that disallow doctypes
in documents they process, this feature will allow the application to
thwart the DOS.
Xerces 1 hasn't been actively developed for a very long time; I'm not aware
of any committer planning to implement such a fix in that product.
Obviously, for applications that wish to process documents containing
doctype lines, this feature isn't helpful. Several members of the
community are discussing ways to fix this problem--and some other, similar,
problems that the disallow-doctype-decl deature would not address. When
this is vfully implemented we'll be sure to let it be known.
Hope that helps!
Neil
Neil Graham
XML Parser Development
IBM Toronto Lab
Phone: 905-413-3519, T/L 969-3519
E-mail: [EMAIL PROTECTED]
|---------+---------------------------->
| | [EMAIL PROTECTED]|
| | .hsbc.Com |
| | |
| | 12/12/2002 03:37 |
| | PM |
| | Please respond to|
| | xerces-j-user |
| | |
|---------+---------------------------->
>---------------------------------------------------------------------------------------------------------------------------------------------|
|
|
| To: [EMAIL PROTECTED]
|
| cc:
|
| Subject: Dos Attack via Xerces
|
|
|
|
|
>---------------------------------------------------------------------------------------------------------------------------------------------|
I recently received a security alert regarding Xerces XML parsers (see
below). We have recently implemented an application that uses Castor, which
uses Xerces 1.4.4, to parse XML requests for data. Are there any changes in
the works to Xerces to combat this issue?
The Xerces XML parser included in multiple vendors' web services products
is used to parse XML documents that contain Document Type Definitions
(DTD). A remote attacker may configure the attributes of a document or
object within a DTD or Simple Object Access Protocol message to cause a
denial of service (DoS) attack against web systems running the parser.
The malicious DTD sends the parser into an almost infinite loop, which
exhausts CPU resources.
************************************************************************
This E-mail is confidential. It may also be legally privileged. If you
are not the addressee you may not copy, forward, disclose or use any
part of it. If you have received this message in error, please delete
it and all copies from your system and notify the sender immediately
by return E-mail.
Internet communications cannot be guaranteed to be timely, secure,
error or virus-free. The sender does not accept liability for any
errors or omissions.
************************************************************************
---------------------------------------------------------------------
To unsubscribe, e-mail: [EMAIL PROTECTED]
For additional commands, e-mail: [EMAIL PROTECTED]
---------------------------------------------------------------------
To unsubscribe, e-mail: [EMAIL PROTECTED]
For additional commands, e-mail: [EMAIL PROTECTED]
