This is not a bug: no such attack is possible, given the fact that LimeWire does not download schemas from the indicated URL. The URL for the schema is just a namespace (this is compliant to the W3C rules regarding XML schemas), and the namespace is always solved locally, by using a local store of the XML schemas.
You should reread the specification of XML, and you'll see that a compliant XML parser does not need to refer the XSD schema by downloading it prior to validating a XML document.
LimeWire uses the W3C-compliant "Xerces" XML parser for Java.
Last edited by verdyp; October 12th, 2002 at 08:45 PM.
|