lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [<thread-prev] [day] [month] [year] [list] 
From: greg-fulldisclosure at nest.cx (Gregory Steuck)
Subject: Re: Multiple vendors XML parser (and SOAP/WebServices server) Denial of Service attack using DTD

>>>>> "Amit" == Amit Klein <amit.klein@...ctuminc.com> writes:

    Amit> Whether you like ot or not, a substantial amount of
    Amit> BugTraq advisories are non-doscilsure. This is by no means the
    Amit> first one.  Full disclosure does not mean spelling out
    Amit> exploits for script kiddies.

I don't advocate "0wning t00lz", I advocate providing enough details to
help intelligent programmers to avoid repeating the old mistakes. And
your evaluation of bugtraq seems to match mine, so it is time for those
who seek knowledge to move on. Thank you Georgi, for bringing
full-disclosure to my attention.

    >>  Uh-oh, turns out it's the way DTD is supposed to work, not an
    >> implementation defect.

    Amit> First, RTFM: "A SOAP message MUST NOT contain a Document Type
    Amit> Declaration" (http://www.w3.org/TR/SOAP/ section 3).

A clarification is in order, I meant to say "not an implementation
defect in XML parser".

    Amit> And for the generic XML documents, I believe that it is
    Amit> possible to parse the DTD securely.

That's precisely my point: as a developer I need to know what I should
be looking for. Your advisory does not teach me much. It does not tell
me how to use an XML parser safely.

Thanks
Greg

Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ