[WEB SECURITY] Multi Vendor XML parser DOS Details?

Minoo Hamilton minoo at forkbolt.net
Thu Aug 6 16:26:57 EDT 2009


The best I've found so far is in the CERT Advisory, which says: "The 
vulnerabilities are related to the parsing of XML elements with 
unexpected byte values and recursive parentheses, which cause the 
program to access memory out of bounds, or to loop indefinitely."

https://www.cert.fi/en/reports/2009/vulnerability2009085.html

There is an Apache Xerces patch diff already, I'm told.  I also spoke 
with one of the reporters who spoke with the Codenomicon researchers 
directly and they were not giving out any technical info. 


Minoo 



Eugene Kuznetsov wrote:
> The stuff I saw was the well-known "many open tags, no close tags"
> scenario, which is quite a bit simpler than Entity Expansion -- since
> parsers have to keep a stack of start elements (usually), one can simply
> blow the stack by never closing them, like so:
>
> <foo><foo><foo><foo> ... for megabytes
>
> Many of the basic XML attacks are of this basic type, violating the
> assumptions within the parser about what's reasonable input. Hope this
> helps. 
>
> 				-- Eugene
>
>
> On Thu, 2009-08-06 at 14:36 -0400, robert at webappsec.org wrote:
>   
>> There's been news about a new XML Parser Denial of Service that seems to affect multiple products.
>> Unfortunately I haven't seen any technical details as to what the issue is, does anyone
>> know what it is exactly?
>>
>> I'm thinking one of the following?
>>
>> XML Attribute Blowup (WASC TCv2)
>> http://projects.webappsec.org/XML-Attribute-Blowup
>>
>> XML Entity Expansion (WASC TCv2)
>> http://projects.webappsec.org/XML-Entity-Expansion
>>
>> Regards,
>> - Robert Auger
>> WASC Co Founder and Moderator of The Web Security Mailing List
>> http://www.webappsec.org/
>> http://www.cgisecurity.com/
>> http://www.qasec.com/
>>
>>
>> ----------------------------------------------------------------------------
>> Join us on IRC: irc.freenode.net #webappsec
>>
>> Have a question? Search The Web Security Mailing List Archives: 
>> http://www.webappsec.org/lists/websecurity/archive/
>>
>> Subscribe via RSS: 
>> http://www.webappsec.org/rss/websecurity.rss [RSS Feed]
>>
>> Join WASC on LinkedIn
>> http://www.linkedin.com/e/gis/83336/4B20E4374DBA
>>
>>     
>
>
>   


----------------------------------------------------------------------------
Join us on IRC: irc.freenode.net #webappsec

Have a question? Search The Web Security Mailing List Archives: 
http://www.webappsec.org/lists/websecurity/archive/

Subscribe via RSS: 
http://www.webappsec.org/rss/websecurity.rss [RSS Feed]

Join WASC on LinkedIn
http://www.linkedin.com/e/gis/83336/4B20E4374DBA



More information about the websecurity mailing list