Jesse Noller writes:

�> I guess someone need to write a proof of concept exploit for you
�> and release it into the wild.

This is a bit ridiculous. �This stuff looks easy enough that surely
Christian's post informed any malicious body who didn't already know
how to do it. �If the exploit matters, it's already in the wild.
("Hey, didja know that an XML processor that expands entities does so
recursively?" �"Uh-oh ....")


Just to clarify for my own curiosity. These attacks (e.g. http://en.wikipedia.org/wiki/Billion_laughs) have been known and public since 2003?
">

(original) (raw)


On Thu, Feb 21, 2013 at 9:23 AM, Stephen J. Turnbull <stephen@xemacs.org> wrote:
Jesse Noller writes:

�> I guess someone need to write a proof of concept exploit for you
�> and release it into the wild.

This is a bit ridiculous. �This stuff looks easy enough that surely
Christian's post informed any malicious body who didn't already know
how to do it. �If the exploit matters, it's already in the wild.
("Hey, didja know that an XML processor that expands entities does so
recursively?" �"Uh-oh ....")


Just to clarify for my own curiosity. These attacks (e.g. http://en.wikipedia.org/wiki/Billion\_laughs) have been known and public since 2003?


Eli