XML flaws threaten 'enormous' array of apps (opens in new tab)

(theregister.co.uk)

24 pointsmindhacker16y ago16 comments

16 comments

Poorly written XML parsers (and I've written my fair share) are always open to DOS attacks; XML has no upper bound on element names, attribute value length, stack depth ...

http://en.wikipedia.org/wiki/Billion_laughs

Same is mostly true of JSON parsers as well of course.

If you let potentially hostile users feed arbitrary data into any of these, even a totally non-buggy, perfectly conformant parser is wide-open to being abused via DOS.

jacquesm16y ago

That's a nasty little xml document. Interesting how any kind of simple macro expansion system is wide open to this kind of attack.

My guess is that to distinguish between 'legitimate' cases and 'attacks' is on par with solving the halting problem.

roc16y ago

Somehow I'm surprised that XML/JSON libraries written since the 90s would have the same core flaw as string libraries written in the 70s.

I know I shouldn't be. But here I am, surprised.

jerf16y ago

Well, they're both written in the same language. That ought to be a Big Fat Steaming Clue (TM).

Someday, I'd like to see a nice library written in something like O'Caml or Haskell exposed as a C interface that exists solely to be a library. I know it's technically possible today, but it doesn't seem to have penetrated into the public consciousness that even a C library doesn't actually have to be written in C anymore. (It may not be slick yet, but only because people aren't doing it, chicken and egg. There's no fundamental stopper.) I sure as hell wouldn't write a "C" library in C if I had anything remotely resembling a choice.

(Of course, that only solves string bobbles, not the "infinite memory consumption required" problem, but even then those other languages can have somewhat cleaner, clever solutions than in C.)

1 more reply

bsaunder16y ago

Here's the original press release from the company:

http://www.codenomicon.com/news/press-releases/2009-08-05.sh...

And a CERT-FI advisory:

http://www.cert.fi/en/reports/2009/vulnerability2009085.html

Also the expat-bug and expat-discuss mailing lists were very active in January/February with seemly related issues:

http://mail.libexpat.org/pipermail/expat-bugs/2009-January/t...

http://mail.libexpat.org/pipermail/expat-discuss/2009-Februa...

jcromartie16y ago

The original article sounds like a scare/marketing piece:

    "Targets: Anything that uses XML"

DanielStraight16y ago

Pretty much a useless article without some explanation of what the flaw is.

kevindication16y ago

Agreed. Also: "3-dimensional programs" are affected!

sixpoint816y ago

So then there is nothing wrong with XML… There is everything wrong with a few parsers.

Wouldn't a better title be "XML Parser Flaws Doom Computing World"?

cema16y ago

Because of the nature of the flaw, details have not been published. (Also see the original article at http://www.codenomicon.com/labs/xml/) Not clear what can be done about the issue, and how bad the issue is. Should we just wait for it to be resolved?

sgoranson16y ago

Pretty skeptical this flaw could be in "virtually every open-source XML library available". Seems unlikely a million brains collectively missed whatever this is.

jrockway16y ago

You are underestimating how easy it is to write insecure C code.

But it would be nice to know if this is expat, libxml2, or what.

philh16y ago

My understanding is it's not a single flaw. Virtually every XML library available is flawed, but each in their own way.

jeroen16y ago

"xml parser flaws"

tybris16y ago

Unless they can trigger an infinite loop I'm not really worried about Java/Python based web services being affected. Any exception should be caught on a per-request basis.

j / k navigate · click thread line to collapse