| lists.openwall.net | lists / announce owl-users owl-dev john-users john-dev passwdqc-users yescrypt popa3d-users / oss-security kernel-hardening musl sabotage tlsify passwords / crypt-dev xvendor / Bugtraq Full-Disclosure linux-kernel linux-netdev linux-ext4 linux-hardening linux-cve-announce PHC | |
|
Open Source and information security mailing list archives
| ||
|
Message-ID: <86u1hc5tmt.fsf@home.nest.cx>
From: greg-fulldisclosure at nest.cx (Gregory Steuck)
Subject: Re: Multiple vendors XML parser (and SOAP/WebServices server) Denial of Service attack using DTD
>>>>> "Amit" == Amit Klein <amit.klein@...ctuminc.com> writes:
Amit> Whether you like ot or not, a substantial amount of
Amit> BugTraq advisories are non-doscilsure. This is by no means the
Amit> first one. Full disclosure does not mean spelling out
Amit> exploits for script kiddies.
I don't advocate "0wning t00lz", I advocate providing enough details to
help intelligent programmers to avoid repeating the old mistakes. And
your evaluation of bugtraq seems to match mine, so it is time for those
who seek knowledge to move on. Thank you Georgi, for bringing
full-disclosure to my attention.
>> Uh-oh, turns out it's the way DTD is supposed to work, not an
>> implementation defect.
Amit> First, RTFM: "A SOAP message MUST NOT contain a Document Type
Amit> Declaration" (http://www.w3.org/TR/SOAP/ section 3).
A clarification is in order, I meant to say "not an implementation
defect in XML parser".
Amit> And for the generic XML documents, I believe that it is
Amit> possible to parse the DTD securely.
That's precisely my point: as a developer I need to know what I should
be looking for. Your advisory does not teach me much. It does not tell
me how to use an XML parser safely.
Thanks
Greg
Powered by blists - more mailing lists