[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Sun JRE / JDK bug introduces XXE possibilities

To: bugtraq@xxxxxxxxxxxxxxxxx
Subject: Sun JRE / JDK bug introduces XXE possibilities
From: "Chris Evans" <scarybeasts@xxxxxxxxx>
Date: Sat, 2 Feb 2008 14:21:13 +0000

Hi,

Now that Sun has fixed this in JDK6u4, I thought this might be of
interest to people:

http://scarybeastsecurity.blogspot.com/

Essentially, one common XXE protection method was broken in the
default XML parser, in JDK6.

In particular, I'm worried about web services (and other server-side
XML accepting technologies) deployed under JDK6. I haven't had time to
look into common web service frameworks and see how they implement XXE
protection. Might be interesting to look into specific technologies
that broke.

Cheers
Chris

Prev by Date: Titan FTP Server Remote Heap Overflow (USER/PASS)
Next by Date: Youtube Clone Xross Site Scripting (load_message.php)
Previous by thread: Titan FTP Server Remote Heap Overflow (USER/PASS)
Next by thread: Youtube Clone Xross Site Scripting (load_message.php)
Index(es):
- Date
- Thread