[Expat-discuss] DoS exploit?
Karl Waclawek
karl at waclawek.net
Fri Oct 22 14:32:18 CEST 2004
----- Original Message -----
From: "Hendrik Schober" <SpamTrap at gmx.de>
To: <expat-discuss at libexpat.org>
Sent: Friday, October 22, 2004 5:52 AM
Subject: [Expat-discuss] DoS exploit?
> Hi,
>
> I have heard about a bug in expat that would allow DoS
> attacks.
> I have searched through the bug mailing list, this list,
> the bug list at sourceforge, and used google. However,
> besides some seemingly false alarm in 2002, I only found
> some evidence that there really might have been such a
> bug in some version of expat (start looking for this at
> http://mail.jabber.org/pipermail/jabberd/2004-September/002005.html).
> I haven't had any luck finding whether this is true, let
> alone which version of expat were vulnerable.
>
> Is there anybody out there who can shed some light onto
> this? I have been asked by a customer to comment on the
> issue.
Search google for the "million laughs xml" attack.
This is a DoS attack that every conforming XML parser
is susceptible too. Its based on how entities declared
in a DTD are expanded. There is no known bug in Expat
related to DoS attacks.
Karl
More information about the Expat-discuss
mailing list