0 Replies Latest reply on Aug 8, 2013 12:30 AM by Jian Liu

    How to avoid parsing DTD in Soap Request

    Jian Liu Newbie

      Web service has an XML expansion vulnerability by parsing DTD in the input soap message. Does anyone have a solution for turning off DTD loading/parsing for JAX-WS Web Services implemented using @WebService? JBoss AS 6 ships with CXF web services implementation. There seems to be a way to replace default parser according to http://svn.apache.org/repos/asf/cxf/trunk/security/CVE-2010-2076.pdf. But we are on JBoss5.2.

       

      Thaks.