[jboss-user] [JBoss Web Services] - How to avoid parsing DTD in Soap Request
Jian Liu
do-not-reply at jboss.com
Thu Aug 8 00:30:21 EDT 2013
Jian Liu [https://community.jboss.org/people/jliubay] created the discussion
"How to avoid parsing DTD in Soap Request"
To view the discussion, visit: https://community.jboss.org/message/831863#831863
--------------------------------------------------------------
Web service has an XML expansion vulnerability by parsing DTD in the input soap message. Does anyone have a solution for turning off DTD loading/parsing for JAX-WS Web Services implemented using @WebService? JBoss AS 6 ships with CXF web services implementation. There seems to be a way to replace default parser according to http://svn.apache.org/repos/asf/cxf/trunk/security/CVE-2010-2076.pdf http://svn.apache.org/repos/asf/cxf/trunk/security/CVE-2010-2076.pdf. But we are on JBoss5.2.
Thaks.
--------------------------------------------------------------
Reply to this message by going to Community
[https://community.jboss.org/message/831863#831863]
Start a new discussion in JBoss Web Services at Community
[https://community.jboss.org/choose-container!input.jspa?contentType=1&containerType=14&container=2044]
-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://lists.jboss.org/pipermail/jboss-user/attachments/20130808/5756c3ca/attachment.html
More information about the jboss-user
mailing list