lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [<thread-prev] [day] [month] [year] [list] 
Date: Tue, 1 Feb 2011 19:24:40 -0800
From: Chris Evans <scarybeasts@...il.com>
To: "HI-TECH ." <isowarez.isowarez.isowarez@...glemail.com>
Cc: full-disclosure@...ts.grok.org.uk, bugtraq@...urityfocus.com
Subject: Re: PAPER: Attacking Server Side XML Parsers

On Tue, Feb 1, 2011 at 5:55 PM, HI-TECH . <
isowarez.isowarez.isowarez@...glemail.com> wrote:

> Hello lists,
>
> the paper included in this email discusses as the subject describes the
> issues of XML Parsers and how they can be exploited in a web
> application environment.
> >From the Preface:
>
> During the audit of web applications one might come across an
> application which handles XML files.
> Specifically there can be an application which allows uploading XML
> files which are thereafter inserted
> into a database and used for later displaying on the front end of the
> application viewable by the user.
> I came across a significant “vulnerability class” which allows an
> attacker (or penetration tester) to
> evoke a scenario which will give access to all files on the underlying
> file system which the application
> server runs as. This includes (in the case the application is
> programmed in the Java language) access
> to directory listings as well.
>
> Any pointers if this was helpful to you are appriciated.
>

This attack is called XXE (Xml eXternal Entity).

It's depressing because it's been known about since at least 2002 (
http://archive.cert.uni-stuttgart.de/bugtraq/2002/10/msg00421.html), yet it
still keeps rearing its head. There's also the "billion laughs" attack which
is a variant that consumes excessive server-side resource.

There have also been client-side examples of this attack, including in
Safari and (IIRC) Adobe Reader.


Cheers
Chris


>
>
> Best Regards,
>
> Kingcope
>
> _______________________________________________
> Full-Disclosure - We believe in it.
> Charter: http://lists.grok.org.uk/full-disclosure-charter.html
> Hosted and sponsored by Secunia - http://secunia.com/
>

Content of type "text/html" skipped

_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/

Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ