lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [thread-next>] [day] [month] [year] [list] 
From: amit.klein at sanctuminc.com (Amit Klein)
Subject: RE: Multiple vendors XML parser (and SOAP/WebServices server) Den
 ial of Service attack using DTD

> It's posts like
> this one that make Bugtraq a cheap brand name peddling place.
> 

Wake up. Whether you like ot or not, a substantial amount of BugTraq
advisories are non-doscilsure. This is by no means the first one.
Full disclosure does not mean spelling out exploits for script kiddies. At
the end of the day, the products became secure (due to patches
offered by the vendors), and that's what counts.

>     Amit>  - Other products from other vendors are known to be
>     Amit> vulnerable too
> 
> Perfect, and since we are not told what the vulnerability is, we are
> left vulnerable without any way to find out where the problem lies.
>

The vendors not listed are ones that were not contacted directly by me.
These vendors did not contact me, and I have no information 
regarding their status with this vulnerability. As such, I did not include
them in my advisory. If you use a product from such vendor, you
should probably ask your vendor some questions.
 
> 
> Uh-oh, turns out it's the way DTD is supposed to work, not an
> implementation defect.
> 

First, RTFM: "A SOAP message MUST NOT contain a Document Type Declaration"
(http://www.w3.org/TR/SOAP/ section 3). 
And for the generic XML documents, I believe that it is possible to parse 
the DTD securely. The fact that the DTD allows you to do something does not
mean that it is secure to do it. 
For example, the DTD allows you to define external entities, yet these
clearly pose a security problem.

Thanks,
-Amit
-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://lists.grok.org.uk/pipermail/full-disclosure/attachments/20021217/7615b4c8/attachment.html

Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ