[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Sun JRE / JDK bug introduces XXE possibilities


Now that Sun has fixed this in JDK6u4, I thought this might be of
interest to people:


Essentially, one common XXE protection method was broken in the
default XML parser, in JDK6.

In particular, I'm worried about web services (and other server-side
XML accepting technologies) deployed under JDK6. I haven't had time to
look into common web service frameworks and see how they implement XXE
protection. Might be interesting to look into specific technologies
that broke.