[ Up ]

		XML and Web Services:  Message Processing Vulnerabilities
Platforms BEA WebLogic Cold Fusion IIS JRun .NET Oracle 9iAS Oracle 9i XDB Solaris Sun ONE SuSE Linux WebSphere Windows Zope XML Acrobat Attributes Crimson Entities Object Data Parser Messaging, SOAP CPU-bound DTD Memory leak Server Other Encryption LDAP Messenger WebDAV XML-RPC		With the adoption of the XML specification came an opportunity to build a new generation of message-handling systems. The success of the Internet and technologies such as TCP/IP, web servers and HTML validated the demand for interoperable, platform-neutral protocols. XML provided a vendor-neutral solution for crafting new protocols. The security problems listed here are related to message processing (using XML-based protocols to exchange information across a network). Developers creating messaging applications and web services must consider several classes of vulnerabilities and threats.   Platform vulnerabilities  XML processing vulnerabilities  Message processing vulnerabilities Developers, systems architects and network administrators should stay informed about problems with libraries, tools and developer environments. Using a flawed library, for example, to create an application or service means it will have a security hole. Diligence is also required to stay abreast of security problems related to platform software, such as application servers, database servers and operating systems. The lists of vulnerabilities at WebServicesSummit.com includes security failures when processing XML documents, such as parsing or Extensible Stylesheet Language Transformation (XSLT) processing. Another class of security problems is related to XML-based message processing. This group includes vulnerabilities from remote procedure call (XML-RPC) and  SOAP processing. The list presented here identifies security holes in specific software. It does not address security issues related to flawed architecture, deficient specifications or inadequate security administration. Specifications There's been a great deal of effort by organizations such as the W3C and OASIS to develop standards for secure XML and web services processing. Those standards, such as WS-Security, leverage other standards for secure sockets, digital certificates, encryption and so on. The list of message processing vulnerabilities presented here does not address messaging and security specifications, but rather software that's a flawed implementation of those specifications. Message Processing Vulnerabilities Microsoft Internet Information Server WebDAV denial of service vulnerability IIS versions 5.0 and 5.1 are vulnerable to a denial of service attack, caused by improper handling of excessively long WebDAV requests containing XML commands. XML-RPC for PHP Code Execution Vulnerability A vulnerability in XML-RPC for PHP can be exploited to compromise a vulnerable system. Improper validation of XML document input permits a malicious document to be used in the "eval()" call, permitting arbitrary PHP code injection. WebDAV Message Handling Exploits with Some Windows Platforms Users of Windows 2000 (SP3, SP4), Windows XP, XP SP1, 64-bit and Windows Server 2003 and 64-bit are vulnerable to a denial-of-service attack. It's possible to compose a WebDAV request to servers running IIS and WebDAV that cause WebDAV to consume all available CPU and memory resources. SOAP denial of service with Macromedia Web services  A vulnerability in the Web services XML parser exposes Macromedia ColdFusion MX and Macromedia JRun 4.0 to possible denial of service. Using a specially-crafted SOAP message, an attacker can cause the XML parser to go into an infinite loop and use all available CPU resources. SOAP request DTD denial of service multi-platform vulnerability An attacker can send a specially-formulated SOAP request that uses DTD parameter entities to cause a denial of service condition on a SOAP server. In some instances, the XML parser consumes available memory. In some cases, it consumes all available CPU resources. It can also cause memory leaks. Platforms affected include Microsoft .NET Framework and IBM WebSphere. XML parser flaw could cause SOAP server denial of service (multiple vendors)  When a SOAP server parses an XML document, it compiles a list of attributes for each parsed element. An attacker can cause denial of service when the server handles certain types of requests that consume all available CPU resources. Platforms using the Apache Crimson XML parser are vulnerable. This vulnerability affects different versions of IBM WebSphere, MacroMedia ColdFusion MX, Macromedia JRun, and Microsoft .NET.  Zope Incorrect XML-RPC Request Information Disclosure Vulnerability Zope 2.5.1 and earlier versions do not handle XML-RPC requests properly. A specially- crafted XML-RPC request could cause Zope to respond with an error page containing with system- specific details.

[ Home ] [ Up ]

Copyright © 2008,  Ken North Computing, LLC
Last modified: March 31, 2008