Slashdot Mirror

← Back to Stories (view on slashdot.org)

XML Library Flaw — Sun, Apache, GNOME Affected

Posted by Soulskill on from the finding-fast-fixes-for-flaws dept.

bednarz writes with this excerpt from Network World: "Vulnerabilities discovered in XML libraries from Sun, the Apache Software Foundation, the Python Software Foundation and the GNOME Project could result in successful denial-of-service attacks on applications built with them, according to Codenomicon. The security vendor found flaws in XML parsers that made it fairly easy to cause a DoS attack, corruption of data, and delivery of a malicious payload using XML-based content. Codenomicon has shared its findings with industry and the open source groups, and a number of recommendations and patches for the XML-related vulnerabilities are expected to be made available Wednesday. In addition, a general security advisory is expected to be published by the Computer Emergency Response Team in Finland (CERT-FI)."

15 of 140 comments (clear)

  1. ASCII Delimited Security Issues by Algorithmn · · Score: 2, Insightful

    Seems to me that ASCII delimited protocols always have these types of issues. Its quite easy to write fuzzers for human readable protocols compared to binary encoded protocols. Too bad these developers don't know how to write good unit tests... This could have been avoided..

    1. Re:ASCII Delimited Security Issues by sys.stdout.write · · Score: 4, Insightful

      Too bad these developers don't know how to write good unit tests... This could have been avoided..

      That's unfair. I'm all about unit tests and they do help find bugs, but a unit test isn't going to find a precisely-crafted piece of malicious input.

    2. Re:ASCII Delimited Security Issues by morgan_greywolf · · Score: 2, Insightful

      It's just as easy to fuzz a binary-encoded protocol, it just doesn't require specialized tools. Ever heard of TCP/IP-based DoS attacks?

      --
      My blog
    3. Re:ASCII Delimited Security Issues by $1uck · · Score: 2, Insightful

      Just be happy you don't have to play with SGML.

    4. Re:ASCII Delimited Security Issues by Algorithmn · · Score: 2, Insightful

      I hope your not a developer... http://en.wikipedia.org/wiki/Unit_testing

  2. Article?? by funkatron · · Score: 4, Insightful

    There doesn't seem to be much of an article behind this summary. Just some fluff about malicious input and the fact that XML is widely used. Would be interesting to see examples of the malicious XML and an explanation of how the vulnerabilities work.

    --
    "Welcome to our world. We are the wasted youth. And we are the future too." Yes, I know these are stupid lyrics.
  3. Re:And they said XML was easy to parse by ShadowRangerRIT · · Score: 3, Insightful

    Except CSV isn't a standard. While the general idea is similar, the details differ greatly from parser to parser. Do you need a trailing comma on the line? Do you allow leading or trailing space on an entry? Since most generators use slightly different conventions, parsers need to be significantly more complex. And CSV is far more limited in scope. I think of CSV as the scripting language to XML's high level OO VM language. Neither is a particularly efficient format, but they're both easier to work with than the alternative (binary coded data), and they're each good for different things. CSV works well for simple data structures, just like scripting languages are appropriate for small utility programs, while XML is good for complex, rigidly defined structures, just like a high level OO language is more appropriate to large projects where maintainability is a concern.

    --
    $_ = "wftedskaebjgdpjgidbsmnjgcdwatb"; tr/a-z/oh, turtleneck Phrase Jar!/; print
  4. Why is Python excluded from Title? by neonprimetime · · Score: 4, Insightful

    Title = XML Library Flaw -- Sun, Apache, GNOME Affected
    1st Line of Summary = Sun, the Apache Software Foundation, the Python Software Foundation and the GNOME Project

    1. Re:Why is Python excluded from Title? by jDeepbeep · · Score: 2, Insightful

      Because pythons are long and big and will not fit the title.

      You should get the extra mod point on top of the current 4, just for the fact that your /. name has the word 'snake' in it.

      --
      Reply to That ||
  5. Re:And they said XML was easy to parse by Anonymous Coward · · Score: 1, Insightful

    well, I'd like json and bencode for that matter.

  6. Solution by vainvanevein · · Score: 2, Insightful

    The solution is clear to me. I would stop using XML.

  7. Re:Open source by bberens · · Score: 2, Insightful

    Since MS is closed source, it wouldn't be fixed for months on end like open source is. That's the only difference. See? It works both ways, neither is really helpful.

    --
    Check out my lame java blog at www.javachopshop.com
  8. Re:And they said XML was easy to parse by ShadowRangerRIT · · Score: 2, Insightful

    Interesting. Of course, it was only published in 2005. If they'd written this up 20 years ago, it might have been more helpful. As is, the various CSV writers have been around so long that a lot of non-conformant CSV is out there. So the parsers remain fairly complex, to account for the previously undefined behaviors. And of course, that standard is for a MIME type; non-web focused CSV generators will still ignore parts of it.

    --
    $_ = "wftedskaebjgdpjgidbsmnjgcdwatb"; tr/a-z/oh, turtleneck Phrase Jar!/; print
  9. Which XML libraries? by wowbagger · · Score: 3, Insightful

    Which libraries? libxml2, expat, or some other library?

    The last I'd checked, Python could use several XML libraries, and Sun distributed several libraries.

    It would be nice if TFA had told us which libraries, or had a link to the actual report listing them.

    --
    www.eFax.com are spammers
  10. Re:Unit Tests by trwww · · Score: 2, Insightful

    Exactly. Unit tests do not prove the absence of bugs. They prove the existence of bugs.