"Cantor, Scott" <[email protected]> wrote on 03/04/2015 12:16:03 PM:
> From: "Cantor, Scott" <[email protected]> > To: "[email protected]" <[email protected]>, > Date: 03/04/2015 12:18 PM > Subject: Re: Hello and XXE > > On 3/4/15, 5:08 PM, "Jim Manico" <[email protected]> wrote: > > > > >With respect, XXE is a massive vulnerability that is turned off by > >default in Java 8 as well as IBM parsers. Is there any proof or risk > >model I could provide to convince Xerces to turn this off by default? > > +1 > > And it's not the only unfixed vulnerability in play (per the note I just > sent). -1. XXE is not a vulnerability in the parser. It may be a vulnerability for an application/product, but that is the developer's responsibility to apply proper configuration to protect themselves in the right context. > -- Scott Michael Glavassevich XML Technologies and WAS Development IBM Toronto Lab E-mail: [email protected] E-mail: [email protected] --------------------------------------------------------------------- To unsubscribe, e-mail: [email protected] For additional commands, e-mail: [email protected]
