lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [day] [month] [year] [list] 
Message-ID: <20050914111713.13530.qmail@securityfocus.com>
Date: 14 Sep 2005 11:17:13 -0000
From: darkangel.stt@...il.com
To: bugtraq@...urityfocus.com
Subject: Re: Re: Serious Security issue with broken - Microsoft's .Net XML
 Serialization API


there is an attribute in .net to serialize all your attributes... "long" type may not be serializable by default (no idea why)...

example :

	[XmlRootAttribute("item", IsNullable = false)]
	public class MenuData
	{
		[XmlAttribute("Label")]
		public string MenuLabel = string.Empty;
		[XmlAttribute("Link")]
		public string MenuLink = string.Empty;
		[XmlArrayAttribute("Links", IsNullable=false)]
		public string[] MenuLinks;
		public MenuData()
		{
		}
	}

	[XmlRootAttribute("Menu", IsNullable = false )]
	public class Menu
	{
		[XmlArrayAttribute("Items")]
		public MenuData []MenuItems;
		
		public Menu()
		{
		}

	}

		public void SaveMenu()
		{
			XmlSerializer serializer = new XmlSerializer(typeof(Menu));
			TextWriter writer = new StreamWriter(MenuFile);
			serializer.Serialize(writer, myMenu);
			writer.Close();
		}

		private void GetMenu()
		{
			XmlSerializer serializer = new XmlSerializer(typeof(Menu));
			FileStream fs = new FileStream(MenuFile, FileMode.Open,System.IO.FileAccess.Read);
			myMenu = (Menu)serializer.Deserialize(fs);
			fs.Close();
		}


ouput will be something like :
<?xml version="1.0" encoding="utf-8"?>
<Menu xmlns:xsd="http://www.w3.org/2001/XMLSchema" xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance">
  <Items>
    <MenuData Label="Quit" Link="/logoff.aspx" />
    <MenuData Label="Notify users" Link="/notify.aspx" />
    <MenuData Label="Admin" Link="/admin/login.aspx">
      <Links>
        <string>/admin/subpage.aspx</string>
        <string>/admin/otherpage.aspx</string>
      </Links>
    </MenuData>
    <MenuData Label="Users" Link="/userlist.aspx" />
  </Items>
</Menu>


this works..... I don't see any security issue !! some attributes won't be serializable by default...

Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ