Issues with SignedXml Class

Class SignedXml is used to produce/verify signature over XML document. One of its methods, function GetIdElement, is used to select Xml elements for signature and verification and consist following line:

xmlElement = document.SelectSingleNode(String.Concat("//*[@Id=\"", idValue, "\"]")) is XmlElement;

I can see two issues with this line

1. URI injection - there is no validation of idValue whatsoever; therefore I can successfully validate document below (see what is the URI). I have control over XPATH query you are performing. Although I cannot find any "dangerous" functions in XPATH specification, I think it is bug that should be fixed, especially before XPATH 2.0 

<test><el1 Id="abc" /><el2 noid="qwerty" /><Signature xmlns="http://www.w3.org/2000/09/xmldsig#"><SignedInfo><CanonicalizationMethod Algorithm="http://www.w3.org/2001/10/xml-exc-c14n#" /><SignatureMethod Algorithm="http://www.w3.org/2000/09/xmldsig#rsa-sha1" /><Reference URI="#abc1"] | //*[@noid="qwerty"><Transforms><Transform Algorithm="http://www.w3.org/2000/09/xmldsig#enveloped-signature" /><Transform Algorithm="http://www.w3.org/2001/10/xml-exc-c14n#" /></Transforms><DigestMethod Algorithm="http://www.w3.org/2000/09/xmldsig#sha1" /><DigestValue>Lb1b1rf+AbI+zRYHnL3AQXLfWoQ=</DigestValue></Reference></SignedInfo><SignatureValue>sUfpZr66IpdqxsfEafIh+lUbRJCifQWGjSckVMNlOqoa2RA/UPFRPcajTbbSe+URVU+MrU9cV1bhP8nH4DNNuWy3Kdmy2mhXxObqsPLqfwf5bOSwFEpGckQq52+YrIx+Wi127VfdQMqC33J7Afm/trY5c0O6I2cFswm0EWgeFW8=</SignatureValue></Signature></test>

 

2. Why SelectSingleNode is used instead of SelectNodes? Because of it only the first element is returned and no exception is raised if there are two XML elements with the same Id. I can use it and having one valid signature create new docment  (with the same Id) and signature will be still valid. Example below: 

I have
<test><el1 Id="abc" /><el2 Id="qwerty">value1</el2><Signature xmlns="http://www.w3.org/2000/09/xmldsig#"><SignedInfo><CanonicalizationMethod Algorithm="http://www.w3.org/2001/10/xml-exc-c14n#" /><SignatureMethod Algorithm="http://www.w3.org/2000/09/xmldsig#rsa-sha1" /><Reference URI="#qwerty"><Transforms><Transform Algorithm="http://www.w3.org/2000/09/xmldsig#enveloped-signature" /><Transform Algorithm="http://www.w3.org/2001/10/xml-exc-c14n#" /></Transforms><DigestMethod Algorithm="http://www.w3.org/2000/09/xmldsig#sha1" /><DigestValue>vTwJDnUsVD3k4J+SadUZRK5tp6k=</DigestValue></Reference></SignedInfo><SignatureValue>ju9QkFABobpzShI1cHImx+oeo3Bttzge+So407KZ47ViSpxpcjfCDMbPoeDyFkGCC99O/vKhkwcCq9iqPgdajgtBQ+ZjUTODRwVMNxz42Z3Vq0Yu+UJHA2gGIaCyQpLBYGSAwqo8rdTw5Fv1Bi5Br441wGkAQS/lblTK2ubZRcA=</SignatureValue></Signature></test>

I can create 
<test><el1 Id="abc"><el2 Id="qwerty">value1</el2></el1><el2 Id="qwerty">value2</el2><Signature xmlns="http://www.w3.org/2000/09/xmldsig#"><SignedInfo><CanonicalizationMethod Algorithm="http://www.w3.org/2001/10/xml-exc-c14n#" /><SignatureMethod Algorithm="http://www.w3.org/2000/09/xmldsig#rsa-sha1" /><Reference URI="#qwerty"><Transforms><Transform Algorithm="http://www.w3.org/2000/09/xmldsig#enveloped-signature" /><Transform Algorithm="http://www.w3.org/2001/10/xml-exc-c14n#" /></Transforms><DigestMethod Algorithm="http://www.w3.org/2000/09/xmldsig#sha1" /><DigestValue>vTwJDnUsVD3k4J+SadUZRK5tp6k=</DigestValue></Reference></SignedInfo><SignatureValue>ju9QkFABobpzShI1cHImx+oeo3Bttzge+So407KZ47ViSpxpcjfCDMbPoeDyFkGCC99O/vKhkwcCq9iqPgdajgtBQ+ZjUTODRwVMNxz42Z3Vq0Yu+UJHA2gGIaCyQpLBYGSAwqo8rdTw5Fv1Bi5Br441wGkAQS/lblTK2ubZRcA=</SignatureValue></Signature></test>

Signature will be successfully validated, but instead of value1 my code responsible for deserialization el2 will use value2.

Of course multiple Id are not permitted; therefore I would expect that it should raise an exception, instead of happily validating signature. 

My suggestion for everyone who uses this class is two create a new class, inherit from SignedXml and overload GetIdElement class.

Cheers,

Pak76
0
pak76 (1)
6/18/2004 9:16:01 AM
dotnet.xml 7266 articles. 0 followers. Follow

0 Replies
530 Views

Similar Articles

[PageSpeed] 20

Reply:

Similar Artilces:

Class Names not available in Class Wizard
In Visual Studio 6.0 I have added a .cpp and .h file created in another MFC project to my current project They show up in the class view explorer and in the file window but when I am in Class Wizard the only class name available are the ones created in this project. Is there a way to add these so they will be available in Class Wizard? Delete the .clw file. Then try to use ClassWizard. It will rebuild the file with the names. joe On Fri, 5 Mar 2004 12:26:06 -0800, "Ward" <anonymous@discussions.microsoft.com> wrote: >In Visual Studio 6.0 I have added a .cpp and .h f...

Format issues
I have created a template in word which I call through a VB script from excel. The excel data is populated in the word every time I run this script. Everything works fine and the data get populated. I have a header in the template which is represents one of the fields in the excel sheet. The header shows the correct linked value for the first 10 pages but then on shows the variable name instead of the value. I have no idea why it does that? can someone help The code is as follows: For iCurrentRow = 1 To iLastRow If ActiveSheet.Range("B" & iCurrentRow...

Outlook issues after Exchange migration
We recently migrated Exchange 5.5 mailboxes to Exchange 2003 on a new domain. This was performed with the exmerge utility in a 2 step process. Now there are 2 issues with Oulook: 1) When a user types a recipient name into the address field, the name autocompletes as normal. But when the mail is sent, a message returns saying it is undeliverable. However, if the user goes into the Contacts folder and from there selects the same user to send a message to, it is successful. 2) If a user shares a calendar, specifying the user with whom to share and the level of permissions, all users in ...

Taskbar issue
Hello All I'm hoping someone can help me with this long-standing problem with both XP and Vista on separate laptops and every computer I've had (except I think Win98). I'm thinking there may be no solution, but what it's worth a try. With both of my machines, I have the taskbar (as well as other toolbars) set out to maximum size - typically half the screen - and to auto hide. (This makes a great program and file launcher) The issue is that the operating system decides it wants open the taskbar on its own from time to time on its own. Various things prompt this, ma...

DST issue
I entered the catalog item: <Feature Name="Item" CatalogItemId="Item:MS:sysgen_timesvc_dst" /> and confirmed that the device has the registry key: HKLM\Software\Microsoft\Clock\AutoDST = 1 But the device still does not automatically adjust for DST. I set the timezone to Pacific, set the time to 3/14/2010 at 1:59AM, waited for one minute...and the time changed to 2:00AM instead of 3:00AM. What am I missing? Thanks. which OS version are you using? have you updated it with the relevant qfes which deal with the changing in DST starting day? -...

Outlook/EX Email Issue
I'm running Windows XP with XP Professional. I cannot send email but I can recieve it using Outlook. There error says that Outlook was unable to access the SMTP server. I cannot access my email at HOME through the web email. What I can do is send/recieve email using Outlook Express AND I can access my email through my web email client outside my home. My ISP (SBC) says its not them and I'm somewhat inclined to agree with them? They say I could have a corrupted kernel32.dll file. I have turned off my Norton, deleted my account and set up a new one and re-installed XP professiona...

Possible Report Issue
Hi. I'm working on a database for a safety audit. The auditors would like to be able to use some of the tables and subtables as a sort of checklist for the audits. The table/subtable structure is as follows: Topic -->Subtopic -->ProgramArea -->ProgramRequirement I decided to create a report that will output that data. However, the report is only outputting information if there are ProgramRequirements already entered for a given ProgramArea. Is there a way to get it to output the ProgramArea and ProgramRequirement even if blank? Or am I going about th...

Extender Install Issues
GP 8.0 Extender install - I'm encountering the following: *Login to GP brings up screen: "Great Plains Extender needs to finish installing. This may take a few minutes". It has an OK button and clicking on this gets you into GP but it comes up everytime. How can we stop this from popping up all the time. *When creating a new Extender Window and I get select the Form, I get the following error: "A remove range operation on table 'PT_User_Defined_Window_Keys' failed accessing SQL data." Procedure or function zDP_EXT40101L_1 has too many arguments spec...

Adobe issues
We are running GP 9.0, using Windows 7, just installed Adobe 8.0 and are unable to send documents to PDF from GP - the PDF option remains grayed out. We have folowed the KB articles that are available, no success. Do we need to install Adobe 9.0 due to running Windows 7? Is GP 9.0 compatible with Adobe 9? Thank you for any assistance.. Hi Susan, I have a client using Adobe 9 on Windows 7. However, they are on GP 10.0 It is working succesfully. -- Geoff James "Susan" wrote: > We are running GP 9.0, using Windows 7, just installed Adobe 8.0 and are ...

Issue with formula is Pivot table
I have the following formula in a pivot table: =IF(ISBLANK(Qtr[-1]),IF(ISNUMBER(Qtr[-2]),(Qtr[-2]*-0.08)+Qtr[-2], "),IF(ISBLANK(Qtr[-2]),0,Qtr[-1])) First to the issues that I am experiencing. First, the formula wa originally added as the one below but then updated to the formula abov to correctly reflect what I was trying to accomplish. =IF(ISBLANK(Qtr[-1]),IF(Qtr[-2]<>0,(Qtr[-2]*-0.08)+Qtr[-2], "),IF(ISBLANK(Qtr[-2]),0,Qtr[-1])) This issue is the original formula appears in the very first cell o the pivot table and then periodically through out the column. So, yo see ...

calling dll function.....error cannot convert parameter 2 from 'class CString *' to 'short *'
//This is dll function which i am calling to insert data short setQuoteToDB(BSTR* strDateTimeStamp, short* intMarketNo, BSTR* strMarketName, BSTR* strBid, BSTR* strAsk, short* intMarketState); // This is function from which i am getting data fom remote server void CArielProjectVer2Dlg::OnPriceChangeArielapictrl1(LPCTSTR SessionId, LPCTSTR RequestId, short MarketNo, LPCTSTR Market, LPCTSTR Bid, short BidDirection, LPCTSTR Ask, short AskDirection, LPCTSTR High, LPCTSTR Low, short MarketState, LPCTSTR Timestamp) // marketno and marketstate are define agin in program as CString for format ...

Outlook Web Access OWA Issue - Login Prompt for Images
Dear Outlook 2003 / Exchange 2003 Users, Starting over the last two weeks (possibly after an update on the Exchange server), all of my users are starting to encounter the same issue when using Outlook Web Access (using IE6 on XP Pro systems). We have images in our signature block, and now when someone replies using Webmail to an e-mail originally sent via Outlook 2003, a login prompt appears for each image in the e-mail. Every time you cancel the login box, a red x image box appears, until all of the images that should be there are represented by the red x boxes. For the record, this has w...

Hyperlink Issue #2
I have an issue with hyperlinks. When you click on the hyperlink on a webpage it returns an error stating that the the "item could not be created". Outlook 2000/Windows 2000 ...

I want to make singleton class
I make the simple singleton class with a boost shared_ptr that is the static pointer. normal programing didn't problem. but if i use with a extension dll file. for example the singleton class was made in the dll file, and that created one of instance in the exe file. it seemd that instance pointer didn't problem in the call from exe, but if i called singleton class to want to get same pointer in the dll. the singleton class was made new one instead of first pointer. so how can I do????? I couldn't recreate your problem. What I did was create a singleton like so in the a...

Update Issues
Has anyone experienced any problems with XP Pro updates sent in Feb.? My Lenovo T61p has performed flawlessly for 2+years but suddenly started turning off and now stays on but freezes-up. I can’t detect a virus and seems like the Feb. updates are all that has changed. I plan to uninstall them….between freeze-ups, unless someone has a better thought. Thanks >Has anyone experienced any problems with XP Pro updates sent in Feb.? My >Lenovo T61p has performed flawlessly for 2+years but suddenly started turning >off and now stays on but freezes-up. I can�t detect a ...

~ issue
I am currently using Outlook Express 6 and have noticed that for the second time (did a format the first time thinking I had a virus!) that when I have downloaded the 330994 April 2003, Security update for Outlook Express 6 SP1 that anytime I make a change to my address book and reboot I get an icon on my desktop that is named "~" and it basically is my entire address book. Has anyone else experienced this problem and how do I remedy it? Thank you for any help! Sue In reviewing the Outlook Express newsgroups, this is reported as a known issue w/ no fix from Microsoft (report...

How can I use Using Smart Pointer Classes in msxml api and also Include Headers and Libraries Manually.
How can I use Using Smart Pointer Classes in msxml api and also Include Headers and Libraries Manually H I have some problem to using smart pointer in msxml , I can include Headers and Libraries Manually by doing 1. put #include <msxml2.h> in my header files 2. Link msxml2.lib to my project But I am not be able to using smart pointer which is very nice I only can using smart point by putting #import <msxml4.dll using namespace MSXML2 in my header file. But this is requires msxml4.dll in my system path otherwise the project will not compile. Our project is big so that all the runtime...

Multiple Outlook Mailboxes issues with 3.0
I have a large number of users who have more than one outlook mailboxes, When I open an email from one of the addtional mailboxes, I get an error message that tells me "Only Items in the default Outlook store can be promoted to Microsoft CRM." Does anyone know if this can be worked around?? ...

chkdsk issue
Whenever I run chkdsk /r, it finds quite a few errors and corrects them. An example is a lot of orphaned files. Then, if I run it again right away, it does the same thing and finds the sa,e orphaned files. What causes this and how can I correct it? Thank you. On 14 May 2010, five256@NOwhere.com wrote in microsoft.public.windows.vista.general: > Whenever I run chkdsk /r, it finds quite a few errors and corrects > them. An example is a lot of orphaned files. Then, if I run it > again right away, it does the same thing and finds the sa,e > orphaned files. What causes...

RSS Sync issue
Hi, I discovered that Outlook is not syncing all my RSS-Feeds. When i tried to export into an OPML list, the same issue which are not synced are not exported as well. Anyone idea ? Thanks Hans ...

Domain name issue migrating 5.5 to Exchange 2003
We are prepairing to migrate Echange 5.5 to Exchange 2003. This has come up as an issue: Our domain is cornerstone instead of cornerstone.com Our email address is "firstname.lastname@cornerstonegrp.com" instead of: "firstname.lastname@cornerstone.com" ...

Laptop Client Issues
I've got 2 issues with Laptop client: 1. When I open outlook, crm add-in works fine. I close outlook and reopen and I get the cannot load crm functinality error. I open again and it works. If I am in a state where there is an error, I can go to the add-in manager and uncheck crm addin, hit ok, the recheck crm addin and it will connect. This happens when I am online or offline. 2. Outlook hangs synching with exchange server. Sometimes the send/receive finishes and then seems to just hang. If I turn off crm addin, it always works correctly. Anyone else experiencing these iss...

Public Folder Replication issue #3
I have a single domain which is linked across a VPN to two sites. At both sites I have a DC and an Exchange box. The issue I am having is on Server A, I can see and access all public folders, on Server B I cannot see one folder and two other folders have no data. I have checked to ensure they are set up for replication and even in ESM it shows they are "In Sync" or "Local Modified". Any suggestions on how to resolve this would be greatly appreciated. Douglas Hiser In each public folder's properties do you have both servers showing as having replicas? Do yo...

Passing data between classes
Hi, This isn't really a MFC specific question but anyways... I'm trying to pass a global variable (m_hInst) of my main dialog class (CMyDialog) to another dialog but can't find the proper way to do it. When I call CMyDialog::m_hInst it tells me it's an illegal reference to non-static member. I understand that but how the hell am I supose to access this variable and have the value I have set within my main dialog class (CMyDialog) !? TIA, Max. How about providing method in your dialog to access the variable and pass your dialog pointer to the other dialog. Essentially you wi...

CRM 4.0
Hi, I'm a relatively new CRM developer. I just attended the CRM conference in Toronto a week ago and I'm pretty excited about coming in on a fresh release. One of the options that seem very useful of course are "many to many" relationships. I've tried to customize the products entity to create my own relationship. Basically the situation I have is that I'm creating course packages (products) with sub-products (courses). So I'm going into the products table and creating a many-to-many relationship with itself. So far so good. Indeed, all the "...