[Python-Dev] XML DoS vulnerabilities and exploits in Python
Jesse Noller
jnoller at gmail.com
Thu Feb 21 12:05:52 CET 2013
On Feb 21, 2013, at 5:32 AM, Antoine Pitrou <solipsis at pitrou.net> wrote:
> Le Thu, 21 Feb 2013 11:18:35 +0100,
> Christian Heimes <christian at python.org> a écrit :
>> Am 21.02.2013 08:42, schrieb Antoine Pitrou:
>>> Sure, but in many instances, rebooting a machine is not
>>> business-threatening. You will have a couple of minutes' downtime
>>> and that's all. Which is why the attack must be repeated many times
>>> to be a major annoyance.
>>
>> Is this business-threatening enough?
>>
>> https://pypi.python.org/pypi/defusedxml#external-entity-expansion-remote
>
> You haven't proved that these were actual threats, nor how they
> actually worked. I'm gonna remain skeptical if there isn't anything
> more precise than "It highly depends on the parser and the application
> what kind of exploit is possible".
>
> Regards
>
> Antoine.
>
I guess someone need to write a proof of concept exploit for you and release it into the wild.
Ok
>
> _______________________________________________
> Python-Dev mailing list
> Python-Dev at python.org
> http://mail.python.org/mailman/listinfo/python-dev
> Unsubscribe: http://mail.python.org/mailman/options/python-dev/jnoller%40gmail.com
More information about the Python-Dev
mailing list