Hi, I saw the following DOS security alert in xerces-j-user newsgroup
> ---------+---------------------------->
> > [EMAIL PROTECTED]|
> > .hsbc.Com |
> > >
> > 12/12/2002 03:37 |
> > PM |
> > Please respond to|
> > xerces-j-user |
> > >
> ---------+---------------------------->
>----------------------------------------------------------------------------------- \
----------------------------------------------------------| | \
| | To: [EMAIL PROTECTED] \
| | cc: \
| | Subject: Dos Attack via Xerces \
| | \
| | \
| >---------------------------------------------------------------------------------- \
-----------------------------------------------------------|
I recently received a security alert regarding Xerces XML parsers (see below). We have recently implemented an application that uses Castor, which uses Xerces 1.4.4, to parse XML requests for data. Are there any changes in the works to Xerces to combat this issue? The Xerces XML parser included in multiple vendors' web services products is used to parse XML documents that contain Document Type Definitions (DTD). A remote attacker may configure the attributes of a document or object within a DTD or Simple Object Access Protocol message to cause a denial of service (DoS) attack against web systems running the parser. The malicious DTD sends the parser into an almost infinite loop, which exhausts CPU resources.
Is anyone looking/looked into this for xercesc-c++? We are shipping xercesc1.7 parser with our
product and would like to incorporate the changes if one is available.
Bhavani Ravichandran
--------------------------------------------------------------------- To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED]
