Sun released JDK6u4 which fixes a possibly nasty issue where one of the XXE protection methods for the default XML parser was broken.
My advisory is at http://scary.beasts.org/security/CESA-2007-002.html
Sun's advisory is at http://sunsolve.sun.com/search/document.do?assetkey=1-66-231246-1
Secunia picked it up at http://secunia.com/advisories/28746/
Web services are obviously a key concern here. I haven't checked to see how the common web service frameworks do XXE protection. It's possible to ban DTDs outright, but I'd suspect more common would be to use the broken parser property http://xml.org/sax/features/external-general-entities.
I'd love feedback on specific affected technologies.
Acesoftech is one of the leading Kolkata based website design company. The kolkata web design company provides high-quality, and professional services at affordable rates. We have clients from different parts of the world because of our quality works.Kolkata web design company
Post a Comment