(as described by Randy Ray)
Basically, the expat parser that lives under the hood of
XML::Parser::Expat will try to resolve external entities if
they match a declaration specified in the DTD. This can
be used to cause a web service based on XML::Parser
(or a toolkit that uses it) to be hung, to open arbitrary
local files, etc. The exploit he showed me was:
1. Assume you have nc listening on port 8000
2. Send the following:
ENTITY ll system "http://somehost:8000">
That's very simplified (and I probably declared the
DOCTYPE block wrong, but I didn't feel like looking it
up), but it shows the problem. Even though expat
is non-validating, it will try to look up entities.
You can get around this by declaring a ExternEnt event
handler for the parser object's class. In both Ken's case
and mine, we just return an empty string (the proscribed
syntax is described in the man page). I also issue a
warning, Ken doesn't bother.
Technically, a SOAP message isn't supposed to have a
DOCTYPE, nor should XML-RPC. But this exploit could
kick in before a parse-engine like either of ours has a
chance to react to that.
Log in to post a comment.