oss-sec mailing list archives
Re: XSLT issue in MoinMoin
From: Kurt Seifried <kseifried () redhat com>
Date: Tue, 24 Jan 2012 13:39:34 -0700
On 01/24/2012 01:07 PM, Nicolas Grégoire wrote:
Hello, some vulnerabilities have been published with version 1.9.3 of MoinMoin : http://moinmo.in/SecurityFixes The XSS already has a CVE but not the XSLT issue. This issue is very similar to CVE-2012-0057 patched in PHP 5.3.9 (except the XSLT engine which is here '4Suite'). The patch is simply a documentation update, given that 4Suite (afaik) doesn't allow to desactivate its extensions : http://hg.moinmo.in/moin/1.9/rev/99e2309a7ec0 Regards, Nicolas Grégoire
How exactly does the attacker get access to the filesystem using XSLT? Does everything using 4Suite have this issue? -- -- Kurt Seifried / Red Hat Security Response Team
Current thread:
- XSLT issue in MoinMoin Nicolas Grégoire (Jan 24)
- Re: XSLT issue in MoinMoin Kurt Seifried (Jan 24)
- Re: XSLT issue in MoinMoin Nicolas Grégoire (Jan 24)
- Re: XSLT issue in MoinMoin Kurt Seifried (Jan 26)
- Re: XSLT issue in MoinMoin Nicolas Grégoire (Jan 24)
- Re: XSLT issue in MoinMoin Kurt Seifried (Jan 24)