XML Library Flaw — Sun, Apache, GNOME Affected 140
bednarz writes with this excerpt from Network World:
"Vulnerabilities discovered in XML libraries from Sun, the Apache Software Foundation, the Python Software Foundation and the GNOME Project could result in successful denial-of-service attacks on applications built with them, according to Codenomicon. The security vendor found flaws in XML parsers that made it fairly easy to cause a DoS attack, corruption of data, and delivery of a malicious payload using XML-based content. Codenomicon has shared its findings with industry and the open source groups, and a number of recommendations and patches for the XML-related vulnerabilities are expected to be made available Wednesday. In addition, a general security advisory is expected to be published by the Computer Emergency Response Team in Finland (CERT-FI)."
Re:ASCII Delimited Security Issues (Score:4, Informative)
XML in itself is sometimes a denial of service with strange side-effects.
As soon as you insert XML that isn't well-formed into a XML parser it will barf in one way or another. And then you will have to dedicate hours to figure out which tag/data in a 200kB XML request that was the culprit. If you are lucky you get a parsing exception, if not you get a Null pointer exception or an infinite loop in the parser.
Re:Open source (Score:5, Informative)
Also, fuzzing discovers DoSes. But many DoS attacks turn into vulnerabilities in the hands of a skilled hacker, and it's generally not safe to assume that a DoS is unexploitable without extensive code analysis.
Re:Open source (Score:4, Informative)
Think "
I wonder if [google.com] these vulnerabilites could have [google.com] been found earlier [google.com] if the code was [google.com]open source [google.com]."
Re:Article?? (Score:2, Informative)
I think they infact did it in very responsible way. If you read the CERT advisory and everything, it seems they have worked good part of the year with the industry and CERTs to make sure these problems are actually fixed before letting ppl know!
Re:And they said XML was easy to parse (Score:3, Informative)
Except CSV isn't a standard.
The IETF [ietf.org] might disagree with you.
Re:And they said XML was easy to parse (Score:3, Informative)
Except CSV isn't a standard.
The IETF [ietf.org] might disagree with you.
"This memo provides information for the Internet community. It does not specify an Internet standard of any kind. "
Advisories released (Score:2, Informative)
CERT-FI advisory: https://www.cert.fi/en/reports/2009/vulnerability2009085.html
Sun advisory: http://sunsolve.sun.com/search/document.do?assetkey=1-66-263489-1
CERT-FI advisory had a link to Codenomicon web page with some more details: http://www.codenomicon.com/labs/xml/