oss-sec mailing list archives
Re: XSLT issue in MoinMoin
From: Kurt Seifried <kseifried () redhat com>
Date: Thu, 26 Jan 2012 16:48:50 -0700
On 01/24/2012 02:37 PM, Nicolas Grégoire wrote:
How exactly does the attacker get access to the filesystem using XSLT?An attacker can read files using either the doc-as-string() extension function or a XML External Entity attack. Write access is done via the <exsl:document> extension element. Depending of your policy, you may want to affect one, two or three CVE (one by vector ? by impact ? by type of bug ?).Does everything using 4Suite have this issue?Yes. Unless an obscure and undocumented option allows to deactivate this behavior :-( My XSLT Wiki has some additional details, including PoC code : - http://goo.gl/3A7h2 (4Suite) - http://goo.gl/GI5NK (MoinMoin) Regards, Nicolas
I think this issue warrants some more discussion, is the vuln in moinmoin (and by extension anyone using 4Suite in a similar manner), or is it a 4Suite issue (and in this case it's intended behaviour and not a security issue?). Steve: care to weigh in? -- Kurt Seifried Red Hat Security Response Team (SRT)
Current thread:
- XSLT issue in MoinMoin Nicolas Grégoire (Jan 24)
- Re: XSLT issue in MoinMoin Kurt Seifried (Jan 24)
- Re: XSLT issue in MoinMoin Nicolas Grégoire (Jan 24)
- Re: XSLT issue in MoinMoin Kurt Seifried (Jan 26)
- Re: XSLT issue in MoinMoin Nicolas Grégoire (Jan 24)
- Re: XSLT issue in MoinMoin Kurt Seifried (Jan 24)