DoS Flaw in SOAP DTD Parameter

Technology heavyweights IBM and Microsoft have released fixes for a potentially serious vulnerability in various Web Services products that could be exploited to trigger denial-of-service attacks .

In separate alerts, the companies said the vulnerability was caused by an error in the XML parser when parsing the DTD (Document Type Definition) part of XML documents. Independent security researcher Secunia has tagged the flaw with a “moderately critical” rating.

Affected software include the IBM WebSphere 5.0.0 and Microsoft ASP.NET Web Services (.NET framework 1.0, .NET framework 1.1).

According to IBM, the security patch fixes a flaw that could be exploited by sending a specially crafted SOAP request. “This can cause the WebSphere XML Parser to consume an excessive amount of CPU resources,” Big Blue warned.

An advisory from Microsoft confirmed the DTD error parsing vulnerability in its Web Services products, included with the .NET Framework 1.1.

Document Type Definition (DTD) provides a way DTDs provide a way to write markup rules that describe the structure of XML documents and can be used to validate the structure of those documents. When the XML 1.0 specification was originally created, the DTD syntax, which is not XML-based, was inherited from earlier markup languages, such as Standard Generalized Markup Language (SGML) and HTML, Microsoft explained.

In some cases, Microsoft recommended the rejection of XML messages that contain DTS, because of its limitations. The software giant said the SOAP 1.1 specification states that a SOAP message must not contain a DTD.

“As an alternative to DTDs, you can describe the XML document structure by using the World Wide Web Consortium (W3C) XML Schema language. The W3C XML Schema language offers the same benefits as DTDs, but it also resolves some of the limitations of DTDs,” the company explained.

News Around the Web