Slashdot Mirror

← Back to Stories (view on slashdot.org)

XML Library Flaw — Sun, Apache, GNOME Affected

Posted by Soulskill on from the finding-fast-fixes-for-flaws dept.

bednarz writes with this excerpt from Network World: "Vulnerabilities discovered in XML libraries from Sun, the Apache Software Foundation, the Python Software Foundation and the GNOME Project could result in successful denial-of-service attacks on applications built with them, according to Codenomicon. The security vendor found flaws in XML parsers that made it fairly easy to cause a DoS attack, corruption of data, and delivery of a malicious payload using XML-based content. Codenomicon has shared its findings with industry and the open source groups, and a number of recommendations and patches for the XML-related vulnerabilities are expected to be made available Wednesday. In addition, a general security advisory is expected to be published by the Computer Emergency Response Team in Finland (CERT-FI)."

12 of 140 comments (clear)

  1. Re:ASCII Delimited Security Issues by sys.stdout.write · · Score: 4, Insightful

    Too bad these developers don't know how to write good unit tests... This could have been avoided..

    That's unfair. I'm all about unit tests and they do help find bugs, but a unit test isn't going to find a precisely-crafted piece of malicious input.

  2. Re:ASCII Delimited Security Issues by Z00L00K · · Score: 3, Informative

    XML in itself is sometimes a denial of service with strange side-effects.

    As soon as you insert XML that isn't well-formed into a XML parser it will barf in one way or another. And then you will have to dedicate hours to figure out which tag/data in a 200kB XML request that was the culprit. If you are lucky you get a parsing exception, if not you get a Null pointer exception or an infinite loop in the parser.

    --
    If builders built buildings the way programmers wrote programs, then the first woodpecker would destroy civilization.
  3. Article?? by funkatron · · Score: 4, Insightful

    There doesn't seem to be much of an article behind this summary. Just some fluff about malicious input and the fact that XML is widely used. Would be interesting to see examples of the malicious XML and an explanation of how the vulnerabilities work.

    --
    "Welcome to our world. We are the wasted youth. And we are the future too." Yes, I know these are stupid lyrics.
  4. Re:Open source by jpmorgan · · Score: 4, Informative

    Someone will undoubtedly say that the bug being found was part of the process, since it's open source and that means the source is auditable by anybody. Reality: it was discovered by the maker of a fuzzing tool. Fuzzing is the process of sending garbage into software to see if it breaks... it works quite well and generally doesn't require the source code.

    Also, fuzzing discovers DoSes. But many DoS attacks turn into vulnerabilities in the hands of a skilled hacker, and it's generally not safe to assume that a DoS is unexploitable without extensive code analysis.

  5. Re:And they said XML was easy to parse by ShadowRangerRIT · · Score: 3, Insightful

    Except CSV isn't a standard. While the general idea is similar, the details differ greatly from parser to parser. Do you need a trailing comma on the line? Do you allow leading or trailing space on an entry? Since most generators use slightly different conventions, parsers need to be significantly more complex. And CSV is far more limited in scope. I think of CSV as the scripting language to XML's high level OO VM language. Neither is a particularly efficient format, but they're both easier to work with than the alternative (binary coded data), and they're each good for different things. CSV works well for simple data structures, just like scripting languages are appropriate for small utility programs, while XML is good for complex, rigidly defined structures, just like a high level OO language is more appropriate to large projects where maintainability is a concern.

    --
    $_ = "wftedskaebjgdpjgidbsmnjgcdwatb"; tr/a-z/oh, turtleneck Phrase Jar!/; print
  6. Re:Open source by ChienAndalu · · Score: 3, Informative

    Think "
    I wonder if these vulnerabilites could have been found earlier if the code was open source."

  7. Why is Python excluded from Title? by neonprimetime · · Score: 4, Insightful

    Title = XML Library Flaw -- Sun, Apache, GNOME Affected
    1st Line of Summary = Sun, the Apache Software Foundation, the Python Software Foundation and the GNOME Project

    1. Re:Why is Python excluded from Title? by recoiledsnake · · Score: 5, Funny

      Because pythons are long and big and will not fit the title.

      --
      This space for rent.
  8. Re:ASCII Delimited Security Issues by jopsen · · Score: 4, Funny

    A properly written unit test might have a chance of finding it if you take the approach of writing your unit tests by looking at how the function can fail.

    I prefer not to find my bugs...

  9. Re:And they said XML was easy to parse by Desler · · Score: 3, Informative

    Except CSV isn't a standard.

    The IETF might disagree with you.

  10. Which XML libraries? by wowbagger · · Score: 3, Insightful

    Which libraries? libxml2, expat, or some other library?

    The last I'd checked, Python could use several XML libraries, and Sun distributed several libraries.

    It would be nice if TFA had told us which libraries, or had a link to the actual report listing them.

    --
    www.eFax.com are spammers
  11. Someone just rediscovered XML Entity Attacks by Rich · · Score: 3, Interesting

    It's difficult to say from the information provided, but it sounds like someone just rediscovered XML entity attacks (as I did a few years ago). Assuming it is the same thing, here are some references from 2002 and 2006 with more details:
    http://www.securiteam.com/securitynews/6D0100A5PU.html
    http://www.sift.com.au/assets/downloads/SIFT-XML-Port-Scanning-v1-00.pdf

    I've used these attacks in real-world tests and they are still surprisingly effective - just not new.