That's true Scott. Xerces is a big player in the XML parsing world. I'm just a
security activist trying to encourage important libraries like Xerces to use
safe defaults when they can. And for XXE, for sure, there is precedent to turn
it off by default since it's so dangerous.
--
Jim Manico
@Ma
3 AM, Michael Glavassevich wrote:
>
> "Cantor, Scott" wrote on 03/04/2015 12:16:03 PM:
>
>> From: "Cantor, Scott"
>> To: "j-users@xerces.apache.org" ,
>> Date: 03/04/2015 12:18 PM
>> Subject: Re: Hello and XXE
>>
>> On 3/4/15, 5:
On 3/4/15, 6:34 PM, "Michael Glavassevich" wrote:
>
>And I was pointing out that it's irrelevant to Jim's concern.
I'm betting Jim's concern is with the parser being secure, period, not
just in one specific way, but he can speak for himself.
>If you're interested in seeing a release which rol
"Cantor, Scott" wrote on 03/04/2015 01:16:30 PM:
> From: "Cantor, Scott"
> To: "j-users@xerces.apache.org" ,
> Date: 03/04/2015 01:19 PM
> Subject: Re: Hello and XXE
>
> On 3/4/15, 6:10 PM, "Michael Glavassevich" wrote:
>
>
&
On 3/4/15, 6:23 PM, "Michael Glavassevich" wrote:
>
>-1. XXE is not a vulnerability in the parser. It may be a vulnerability
>for an application/product, but that is the developer's responsibility to
>apply proper configuration to protect themselves in the right context.
The issue is a trade-
"Cantor, Scott" wrote on 03/04/2015 12:16:03 PM:
> From: "Cantor, Scott"
> To: "j-users@xerces.apache.org" ,
> Date: 03/04/2015 12:18 PM
> Subject: Re: Hello and XXE
>
> On 3/4/15, 5:08 PM, "Jim Manico" wrote:
>
>
>
&g
On 3/4/15, 6:10 PM, "Michael Glavassevich" wrote:
>
>The defect you're referring to had nothing to do with DTDs or entities.
Which I acknowledged. You still have an unreleased security fix that is
*not* a function of "applications configuring the parser correctly".
-- Scott
"Cantor, Scott" wrote on 03/04/2015 12:15:02 PM:
> On 3/4/15, 4:56 PM, "Michael Glavassevich" wrote:
>
> >
> >There has been some work done on the trunk [1] to make it easier for
> >users
> >to protect themselves but it isn't likely to change any defaults. Users
> >need to configure XML par
On 3/4/15, 5:21 PM, "Jim Manico" wrote:
>How can I help? I'm happy to submit a patch if you like... This is a
>fairly critical security issue and I'm willing to get my hands dirty and
>help code? wash your car? free trips to Hawaii? What do need?
If you're directing that question to me,
How can I help? I'm happy to submit a patch if you like... This is a fairly
critical security issue and I'm willing to get my hands dirty and help
code? wash your car? free trips to Hawaii? What do need?
Aloha,
--
Jim Manico
@Manicode
(808) 652-3805
> On Mar 4, 2015, at 9:16 AM, Cantor, Sco
On 3/4/15, 4:56 PM, "Michael Glavassevich" wrote:
>
>There has been some work done on the trunk [1] to make it easier for
>users
>to protect themselves but it isn't likely to change any defaults. Users
>need to configure XML parsers appropriately for their scenario and there
>are plenty of w
On 3/4/15, 5:08 PM, "Jim Manico" wrote:
>With respect, XXE is a massive vulnerability that is turned off by
>default in Java 8 as well as IBM parsers. Is there any proof or risk
>model I could provide to convince Xerces to turn this off by default?
+1
And it's not the only unfixed vulnerabi
With respect, XXE is a massive vulnerability that is turned off by default in
Java 8 as well as IBM parsers. Is there any proof or risk model I could provide
to convince Xerces to turn this off by default?
I am honestly just a researcher who has watch several folks get brutally hacked
because o
Hi,
There has been some work done on the trunk [1] to make it easier for users
to protect themselves but it isn't likely to change any defaults. Users
need to configure XML parsers appropriately for their scenario and there
are plenty of ways they can do that if they're concerned about XXE.
Th
Hello,
I am a security researcher worried about the threat of XXE in Java parsers.
https://www.owasp.org/index.php/XML_External_Entity_%28XXE%29_Processing
Java 8 made the choice to disable External Entities by default and I'd love to
see Xerces2 make the same choice. This is a pretty serious r
15 matches
Mail list logo
