Hi,

"Christopher Dicely" <cmdic... / gmail.com> wrote:
> ---[begin]
> There is a DoS vulnerability in theREXMLlibrary used by Rails to
> parse incoming XML requests. A so-called "XML entity explosion" attack
> technique can be used for remotely bringing down (disabling) any
> application which parses user-provided XML. Most Rails applications
> will be vulnerable to this attack.
> ---[end]
>
> It should say something like this:
>
> ---[begin]
> There is a DoS vulnerability in theREXMLlibrary included in the Ruby
> Standard Library. A so-called "XML entity explosion" attack technique
> can be used for remotely bringing down (disabling) any application
> which parses user-provided XML usingREXML.
> ---[end]

I admit that my announcement is misleading.  It was based on the
original
report to security / rubyonrails.org.

What do you think of fixing it like this?

---
There is a DoS vulnerability in the REXML library included in the Ruby
Standard Library. A so-called "XML entity explosion" attack technique
can be used for remotely bringing down (disabling) any application
which parses user-provided XML using REXML.

Most Rails applications will be vulnerable because Rails parses
user-provided XML using REXML by default.
---

> Any specific notes about systems that rely onREXML(including Rails)
> should have followed that accurate description of the nature and
> applicability of the problem. (I also question whether its true that
> "Most Rails applications will be vulnerable to this attack", is it
> really true that the majority of Rails apps consume XML from untrusted
> sources?

Yes, it is.

Shugo Maeda