Jian Liu [https://community.jboss.org/people/jliubay] created the discussion

"How to avoid parsing DTD in Soap Request"

To view the discussion, visit: https://community.jboss.org/message/831863#831863

--------------------------------------------------------------
Web service has an XML expansion vulnerability by parsing DTD in the input soap message. Does anyone have a solution for turning off DTD loading/parsing for JAX-WS Web Services implemented using @WebService? JBoss AS 6 ships with CXF web services implementation. There seems to be a way to replace default parser according to http://svn.apache.org/repos/asf/cxf/trunk/security/CVE-2010-2076.pdf http://svn.apache.org/repos/asf/cxf/trunk/security/CVE-2010-2076.pdf. But we are on JBoss5.2.

Thaks.
--------------------------------------------------------------

Reply to this message by going to Community
[https://community.jboss.org/message/831863#831863]

Start a new discussion in JBoss Web Services at Community
[https://community.jboss.org/choose-container!input.jspa?contentType=1&containerType=14&container=2044]