[Python-Dev] XML DoS vulnerabilities and exploits in Python
Tres Seaver
tseaver at palladion.com
Thu Feb 21 08:29:08 CET 2013
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
On 02/21/2013 01:53 AM, Antoine Pitrou wrote:
> On Thu, 21 Feb 2013 11:37:47 +1100 Steven D'Aprano
> <steve at pearwood.info> wrote:
>>
>> It's easy to forget that malware existed long before the Internet.
>> The internet is just a transmission vector, it is not the source of
>> malicious files. The source of malicious files is *other people*,
>> and unless you never use XML files you didn't generate yourself, you
>> cannot completely trust the source. You might trust your colleagues
>> to not *intentionally* pass you a malicious XML file, but they may
>> still do so accidentally.
>
> That's in theory very nice, but in practice security in everyday
> computing hasn't really been a concern before the massification of
> Internet access.
>
> (yes, there have been viruses on mainstream platforms such as the
> Amiga, but it was pretty minor compared to nowadays, and nobody cared
> about potential DoS attacks for example)
>
> So, as for XML files, we are talking about a DoS vulnerability. It
> will take more than a single file to make a DoS attack really
> annoying, which means the attacker must pollute the source of those
> XML files in a systemic way. It's not "a single XML file will smuggle
> confidential data out of the building".
Antoine,
A single, small,, malicious XML file can kill a machine (not just the
process parsing it) by sucking all available RAM. We are talking hard
lockup, reboot-to-fix-it sorts of DOC here.
Tres.
- --
===================================================================
Tres Seaver +1 540-429-0999 tseaver at palladion.com
Palladion Software "Excellence by Design" http://palladion.com
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.11 (GNU/Linux)
Comment: Using GnuPG with undefined - http://www.enigmail.net/
iEYEARECAAYFAlElzMQACgkQ+gerLs4ltQ7fDQCgmvvurNi5VtWA+4mqcz4tpUhR
rNUAnRtpcKMFCM3z8qRKNfinAE9ly9fX
=y+eM
-----END PGP SIGNATURE-----
More information about the Python-Dev
mailing list