| ||
Fri 2024-04-19
Thu 2024-04-18
Mon 2024-04-15
Butterick’s Practical Typography Sat 2024-04-13
Fri 2024-04-12
Wed 2024-04-10
Boy Meets Boy Meets Boys’ Love Tue 2024-04-09
Mon 2024-04-08
Search
Archives
2023
12 11 10 09 08 07 06 05 04 03 02 01
2022
2021
2020
2019
2018
2017
2016
2015
2014
2013
2012
2011
2010
2009
2008
2007
2006
2005
2004
2003
One good site
MDN
Nelson Minar
Blog licensed under a Creative Commons License
|
XML is bad for data transfer for lots of reasons. It's slow to parse,
awfully wordy, doesn't support 8 bit data, etc etc. But my favourite
thing is how most XML consumers can be induced to
open arbitrary URLs.
There's a 4+ year old security hole in many XML parsers called XXE, the Xml eXternal Entity attack. Take a look:
<?xml version="1.0" encoding="UTF-8"?>
Don't let all the pointy-parentheses confuse you (although they're a good
reason to hate XML too). What's going on there is my document has
defined
two new entities called passwd and http and then used
them. They're defined as expanding to the contents of URIs.
<!DOCTYPE doc [ <!ENTITY passwd SYSTEM "file:///etc/passwd"> <!ENTITY http SYSTEM "http://example.com/delAll"> ]> <eyeAmH4xor> &passwd; &http; </eyeAmH4xor> About 3/4 of the XML applications I've encountered out there will blindly do as ordered and load the URIs. The app will load the password file, at which point a clever hacker can usually induce the application to send it back to them (as an error message, for instance). Even better it will load the HTTP URL. Yes, many XML applications will load any URL you tell them to. From the app server. Nice, huh? XXE is an old bug, but it keeps coming back because most people using XML would never think their little XML parser can be instructed to start opening network sockets. Acrobat had this bug just last year. XML parsers usually have obscure options to secure them, but many have them off by default. Why are we using a data format where this is possible at all? |
|
