XML Library Flaw — Sun, Apache, GNOME Affected

bednarz writes with this excerpt from Network World: "Vulnerabilities discovered in XML libraries from Sun, the Apache Software Foundation, the Python Software Foundation and the GNOME Project could result in successful denial-of-service attacks on applications built with them, according to Codenomicon. The security vendor found flaws in XML parsers that made it fairly easy to cause a DoS attack, corruption of data, and delivery of a malicious payload using XML-based content. Codenomicon has shared its findings with industry and the open source groups, and a number of recommendations and patches for the XML-related vulnerabilities are expected to be made available Wednesday. In addition, a general security advisory is expected to be published by the Computer Emergency Response Team in Finland (CERT-FI)."

Re:ASCII Delimited Security Issues

[jopsen]

A properly written unit test might have a chance of finding it if you take the approach of writing your unit tests by looking at how the function can fail.

I prefer not to find my bugs...

Re:Why is Python excluded from Title?

[recoiledsnake]

Because pythons are long and big and will not fit the title.

Re:Open source

[heffrey]

You think I've come to the right place?

Re:Article??

[Odin's+Raven]

Would be interesting to see examples of the malicious XML and an explanation of how the vulnerabilities work.

I've included a simple demonstration below - if your browser doesn't contain the flaw then you'll just see the literal XML exploit code (all 200+ lines of it), but if it's vulnerable then you'll only see the initial trigger element on either side of Cmdr Taco's favorite topic.

<\0pwned>OMGPonies!!11one!<\0pwn3d/>