> It's posts like > this one that make Bugtraq a cheap brand name peddling place. > Wake up. Whether you like ot or not, a substantial amount of BugTraq advisories are non-doscilsure. This is by no means the first one. Full disclosure does not mean spelling out exploits for script kiddies. At the end of the day, the products became secure (due to patches offered by the vendors), and that's what counts. > Amit> - Other products from other vendors are known to be > Amit> vulnerable too > > Perfect, and since we are not told what the vulnerability is, we are > left vulnerable without any way to find out where the problem lies. > The vendors not listed are ones that were not contacted directly by me. These vendors did not contact me, and I have no information regarding their status with this vulnerability. As such, I did not include them in my advisory. If you use a product from such vendor, you should probably ask your vendor some questions. > > Uh-oh, turns out it's the way DTD is supposed to work, not an > implementation defect. > First, RTFM: "A SOAP message MUST NOT contain a Document Type Declaration" (http://www.w3.org/TR/SOAP/ section 3). And for the generic XML documents, I believe that it is possible to parse the DTD securely. The fact that the DTD allows you to do something does not mean that it is secure to do it. For example, the DTD allows you to define external entities, yet these clearly pose a security problem. Thanks, -Amit _______________________________________________ Full-Disclosure - We believe in it. Charter: http://lists.netsys.com/full-disclosure-charter.html
This archive was generated by hypermail 2b30 : Wed Dec 18 2002 - 13:31:56 PST