DoS Flaw in SOAP DTD Parameter:
"Technology heavyweights IBM and Microsoft have released fixes for a potentially serious vulnerability in various Web Services products that could be exploited to trigger denial-of-service attacks (define).

In separate alerts, the companies said the vulnerability was caused by an error in the XML parser when parsing the DTD (Document Type Definition) part of XML documents. Independent security researcher Secunia has tagged the flaw with a 'moderately critical' rating."

Affected software include the IBM WebSphere 5.0.0 and Microsoft ASP.NET Web Services (.NET framework 1.0, .NET framework 1.1).

According to IBM, the security patch fixes a flaw that could be exploited by sending a specially crafted SOAP request. "This can cause the WebSphere XML Parser to consume an excessive amount of CPU resources," Big Blue warned.

An advisory from Microsoft confirmed the DTD error parsing vulnerability in its Web Services products, included with the .NET Framework 1.1.

Document Type Definition (DTD) provides a way DTDs provide a way to write markup rules that describe the structure of XML documents and can be used to validate the structure of those documents. When the XML 1.0 specification was originally created, the DTD syntax, which is not XML-based, was inherited from earlier markup languages, such as Standard Generalized Markup Language (SGML) and HTML, Microsoft explained.…

http://www.internetnews.com/dev-news/article.php/3289191