Billions of laughs attack

nlakshmi has asked for the wisdom of the Perl Monks concerning the following question:

Hi,

I am currently using perl 5.6.1 in my application. I am using XML::Parser (version 2.30) module to parse the XML input. This module is vulnerable for an attack called Billions of laughs attack which increases the CPU and hence leads to Denial Of Service.

Is there any latest version of XML::Parser where this vulnerability is addressed? (I did not get it in CPAN)

I thought of replacing XML::Parser module with XML::LibXML::Parser module to address this vulnerability as LibXML 2.0100 is having the fix. I installed that module manually. But I am getting dependency issues while executing the script. Not sure if LibXML version (2.0100) is compatible with Perl 5.6.1.

Can anyone advice on this.

Thanks and regards,
Nagalakshmi

Comment on Billions of laughs attack

Replies are listed 'Best First'.
Re: Billions of laughs attack by Corion (Patriarch) on Feb 27, 2018 at 14:59 UTC
Have you looked at the `NoExpand` option of XML::Parser which is at version 2.44 on CPAN? It allows you to prevent entity expansion, which should help against the Billion Laughs Attack. As you don't tell us what "dependency issues" you got, it's hard to advise you about how to install XML::LibXML to use that instead. My general advice is if you are talking to the outside world and you think that a Billion Laughs Attack might happen to you because you receive unfiltered input from untrusted parties, you should consider upgrading your version of Perl to at least 5.14 or preferrably to something higher to prevent lots of other attacks based on processing untrusted input in hashes and also to restore compatibility with many modules.	[reply] [d/l]
Re^2: Billions of laughs attack by dave_the_m (Monsignor) on Feb 27, 2018 at 15:21 UTC
Indeed, perl version 5.6.1 was released almost 17 years ago !!!! Dave.	[reply]
Re: Billions of laughs attack by davies (Monsignor) on Feb 27, 2018 at 15:05 UTC
http://www.ws-attacks.org/XML_Entity_Expansion states If you are sure that your web service framework implements the SOAP 1.2 standard correctly you are not vulnerable to any of these attacks. In case you are not sure, the easiest and most forward way is to manually check prior to parsing whether or not an opening DTD Tag is existent. If that is the case just discard the message. Therefore, I would not be surprised if there were no plans to write a fix that would normally be implemented by another layer. I appreciate that this doesn't really answer your question, although it might suggest a workaround, and I'm only guessing about plans for the module. Regards, John Davies	[reply]
Re: Billions of laughs attack by LanX (Saint) on Feb 27, 2018 at 15:24 UTC
Sorry, but if you are still using 5.6, you might deserve billions of laughs ... ;-) Cheers Rolf _{(addicted to the Perl Programming Language and ☆☆☆☆ :) Wikisyntax for the Monastery}	[reply]
Re^2: Billions of laughs attack by Laurent_R (Canon) on Feb 27, 2018 at 22:46 UTC
On some of our VMS servers, we are stuck with Perl 5.8, with no way to upgrade because there hasn't been any newer Perl version for that version of the operating system.	[reply]
Re^3: Billions of laughs attack by Jenda (Abbot) on Feb 27, 2018 at 23:27 UTC
I guess you deserve billions of laughs for using VMS ... Jenda Enoch was right! Enjoy the last years of Rome.	[reply]
Re^4: Billions of laughs attack by Laurent_R (Canon) on Feb 28, 2018 at 07:25 UTC
Re^5: Billions of laughs attack by LanX (Saint) on Feb 28, 2018 at 09:00 UTC
Re: Billions of laughs attack by Anonymous Monk on Feb 28, 2018 at 02:01 UTC
If I may ask – are you seriously exposed to this attack, or is it merely hypothetical?	[reply]