Sun JRE / JDK bug introduces XXE possibilities Feb 02 2008 02:21PM
Chris Evans (scarybeasts gmail com)

Now that Sun has fixed this in JDK6u4, I thought this might be of
interest to people:


Essentially, one common XXE protection method was broken in the
default XML parser, in JDK6.

In particular, I'm worried about web services (and other server-side
XML accepting technologies) deployed under JDK6. I haven't had time to
look into common web service frameworks and see how they implement XXE
protection. Might be interesting to look into specific technologies
that broke.


[ reply ]


Privacy Statement
Copyright 2010, SecurityFocus