| lists.openwall.net | lists / announce owl-users owl-dev john-users john-dev passwdqc-users yescrypt popa3d-users / oss-security kernel-hardening musl sabotage tlsify passwords / crypt-dev xvendor / Bugtraq Full-Disclosure linux-kernel linux-netdev linux-ext4 linux-hardening linux-cve-announce PHC | |
|
Open Source and information security mailing list archives
| ||
|
Date: Wed, 2 Feb 2011 02:55:21 +0100
From: "HI-TECH ." <isowarez.isowarez.isowarez@...glemail.com>
To: full-disclosure@...ts.grok.org.uk, bugtraq@...urityfocus.com
Subject: PAPER: Attacking Server Side XML Parsers
Hello lists,
the paper included in this email discusses as the subject describes the
issues of XML Parsers and how they can be exploited in a web
application environment.
>>From the Preface:
During the audit of web applications one might come across an
application which handles XML files.
Specifically there can be an application which allows uploading XML
files which are thereafter inserted
into a database and used for later displaying on the front end of the
application viewable by the user.
I came across a significant “vulnerability class” which allows an
attacker (or penetration tester) to
evoke a scenario which will give access to all files on the underlying
file system which the application
server runs as. This includes (in the case the application is
programmed in the Java language) access
to directory listings as well.
Any pointers if this was helpful to you are appriciated.
Best Regards,
Kingcope
Download attachment "Attacking Server Side XML Parsers.pdf" of type "application/pdf" (98881 bytes)
_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/
Powered by blists - more mailing lists