[Python-Dev] XML DoS vulnerabilities and exploits in Python (original) (raw)
Christian Heimes christian at python.org
Thu Feb 21 11🔞35 CET 2013
- Previous message: [Python-Dev] XML DoS vulnerabilities and exploits in Python
- Next message: [Python-Dev] XML DoS vulnerabilities and exploits in Python
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]
Am 21.02.2013 08:42, schrieb Antoine Pitrou:
Sure, but in many instances, rebooting a machine is not business-threatening. You will have a couple of minutes' downtime and that's all. Which is why the attack must be repeated many times to be a major annoyance.
Is this business-threatening enough?
https://pypi.python.org/pypi/defusedxml#external-entity-expansion-remote
An attacker can circumvent firewalls and gain access to restricted resources as all the requests are made from an internal and trustworthy IP address, not from the outside.
An attacker can abuse a service to attack, spy on or DoS your servers but also third party services. The attack is disguised with the IP address of the server and the attacker is able to utilize the high bandwidth of a big machine.
An attacker can exhaust additional resources on the machine, e.g. with requests to a service that doesn't respond or responds with very large files.
An attacker may gain knowledge, when, how often and from which IP address a XML document is accessed.
An attacker could send mail from inside your network if the URL handler supports smtp:// URIs.
- Previous message: [Python-Dev] XML DoS vulnerabilities and exploits in Python
- Next message: [Python-Dev] XML DoS vulnerabilities and exploits in Python
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]