Microsoft KB Archive/317492

= DOC: Clarification: XmlResolver.Credentials Property Documentation =

Article ID: 317492

Article Last Modified on 9/24/2003

-

APPLIES TO


 * Microsoft Visual Studio .NET 2002 Professional Edition
 * Microsoft .NET Framework 1.0

-



This article was previously published under Q317492



SUMMARY
The XmlResolver.Credentials Property MSDN documentation states the following:

If credentials are needed but not supplied, the resolver uses default credentials (CredentialCache.DefaultCredentials).

The following statement should be added:

To avoid malicious requests to protected Web sites, do not use DefaultCredentials. Use the credentials set by user.



MORE INFORMATION
XmlResolver resolves external XML resources, such as entities, DTDs, and schemas. It also processes include and import elements in Extensible Stylesheet Language (XSL) stylesheets or XML Schema Definition language (XSD) schemas.

One security risk of using default credentials is that if the Simple Object Access Protocol (SOAP) message is processed by a computer inside a network that is protected by a firewall, the HTTP request that is generated for the external reference may be able to access computers that are not accessible from outside the firewall. These requests may also access ports other than port 80, which may expose even more risk.

