Sun JRE / JDK bug introduces XXE possibilities Feb 02 2008 02:21PM
Chris Evans (scarybeasts gmail com)
Hi,

Now that Sun has fixed this in JDK6u4, I thought this might be of
interest to people:

http://scarybeastsecurity.blogspot.com/

Essentially, one common XXE protection method was broken in the
default XML parser, in JDK6.

In particular, I'm worried about web services (and other server-side
XML accepting technologies) deployed under JDK6. I haven't had time to
look into common web service frameworks and see how they implement XXE
protection. Might be interesting to look into specific technologies
that broke.

Cheers
Chris

[ reply ]


 

Privacy Statement
Copyright 2010, SecurityFocus