In association with heise online

06 August 2009, 09:49

Vulnerabilities in different vendors XML parsers

  • Twitter
  • Facebook
  • submit to slashdot
  • StumbleUpon
  • submit to reddit

The security service company Codenomicon has highlighted a weakness in the XML parser libraries from Sun Microsystems, the Apache Software Foundation and the Python Software Foundation and said that denial of service attacks were possible against applications which were based on these libraries. Codenomicon made the announcement of the problems in co-operation with the Finnish Computer Emergency Response Team (CERT-FI). More details on the vulnerability are available on the CERT-FI website.

The problem can occur when an application is parsing an XML file which has been prepared by attackers and contains unexpected byte values or recursive parentheses. This would typically cause the application to crash, but Codenomicon does not exclude the possibility that the hole could be used to inject code and execute it. Remote attackers could exploit the hole by attacking SOAP servers. The security service provider discovered the hole by testing the various XML parser libraries with specialised Fuzzing tools.

As XML is widely used to exchange structured data, Codenomicon notes that the vulnerability is particularly dangerous and advises developers to respond to the issues as soon as possible. Some companies and open source groups have already responded to the problem and recommend patches to close the hole.

See also


Print Version | Send by email | Permalink:

  • July's Community Calendar

The H Open

The H Security

The H Developer

The H Internet Toolkit