Beefy Boxes and Bandwidth Generously Provided by pair Networks
good chemistry is complicated,
and a little bit messy -LW
 
PerlMonks  

Billions of laughs attack

by nlakshmi (Initiate)
on Feb 27, 2018 at 14:45 UTC ( [id://1210037]=perlquestion: print w/replies, xml ) Need Help??

nlakshmi has asked for the wisdom of the Perl Monks concerning the following question:

Hi,

I am currently using perl 5.6.1 in my application. I am using XML::Parser (version 2.30) module to parse the XML input. This module is vulnerable for an attack called Billions of laughs attack which increases the CPU and hence leads to Denial Of Service.

Is there any latest version of XML::Parser where this vulnerability is addressed? (I did not get it in CPAN)

I thought of replacing XML::Parser module with XML::LibXML::Parser module to address this vulnerability as LibXML 2.0100 is having the fix. I installed that module manually. But I am getting dependency issues while executing the script. Not sure if LibXML version (2.0100) is compatible with Perl 5.6.1.

Can anyone advice on this.

Thanks and regards,
Nagalakshmi

Replies are listed 'Best First'.
Re: Billions of laughs attack
by Corion (Patriarch) on Feb 27, 2018 at 14:59 UTC

    Have you looked at the NoExpand option of XML::Parser which is at version 2.44 on CPAN? It allows you to prevent entity expansion, which should help against the Billion Laughs Attack.

    As you don't tell us what "dependency issues" you got, it's hard to advise you about how to install XML::LibXML to use that instead.

    My general advice is if you are talking to the outside world and you think that a Billion Laughs Attack might happen to you because you receive unfiltered input from untrusted parties, you should consider upgrading your version of Perl to at least 5.14 or preferrably to something higher to prevent lots of other attacks based on processing untrusted input in hashes and also to restore compatibility with many modules.

      Indeed, perl version 5.6.1 was released almost 17 years ago !!!!

      Dave.

Re: Billions of laughs attack
by davies (Prior) on Feb 27, 2018 at 15:05 UTC

    http://www.ws-attacks.org/XML_Entity_Expansion states

    If you are sure that your web service framework implements the SOAP 1.2 standard correctly you are not vulnerable to any of these attacks. In case you are not sure, the easiest and most forward way is to manually check prior to parsing whether or not an opening DTD Tag is existent. If that is the case just discard the message.
    Therefore, I would not be surprised if there were no plans to write a fix that would normally be implemented by another layer. I appreciate that this doesn't really answer your question, although it might suggest a workaround, and I'm only guessing about plans for the module.

    Regards,

    John Davies

Re: Billions of laughs attack
by LanX (Saint) on Feb 27, 2018 at 15:24 UTC
      On some of our VMS servers, we are stuck with Perl 5.8, with no way to upgrade because there hasn't been any newer Perl version for that version of the operating system.

        I guess you deserve billions of laughs for using VMS ...

        Jenda
        Enoch was right!
        Enjoy the last years of Rome.

Re: Billions of laughs attack
by Anonymous Monk on Feb 28, 2018 at 02:01 UTC
    If I may ask – are you seriously exposed to this attack, or is it merely hypothetical?

Log In?
Username:
Password:

What's my password?
Create A New User
Domain Nodelet?
Node Status?
node history
Node Type: perlquestion [id://1210037]
Approved by davies
help
Chatterbox?
and the web crawler heard nothing...

How do I use this?Last hourOther CB clients
Other Users?
Others examining the Monastery: (8)
As of 2024-03-28 09:16 GMT
Sections?
Information?
Find Nodes?
Leftovers?
    Voting Booth?

    No recent polls found