ws-users mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From John Wilson <>
Subject Re: It's too easy to hack an XMLRPC WebServer!
Date Thu, 15 Apr 2004 14:19:54 GMT

On 15 Apr 2004, at 14:48, Filippo Capocasale wrote:

> I've tried with xerces...
> XmlRpc.setDriver("org.apache.xerces.parsers.SAXParser");
> ... but it's the same.
>    Thankyou very much,
>        Filippo


	what seems to be happening is that you are sending "prova\b" as the 
String value. The BEL character 0X07 is not allowed in an XML document 
(not even if it's replaced by a numeric character entity). The parser 
will then throw a SAXException as the XML is not well formed.

The client should really refuse to send this message. However that 
doesn't stop bad people generating this sort of message by hand.

Do you get a response from the server for each call? If so what is it?

John Wilson
The Wilson Partnership

View raw message