oss-sec mailing list archives
Re: XSLT issue in MoinMoin
From: Nicolas Grégoire <nicolas.gregoire () agarri fr>
Date: Tue, 24 Jan 2012 22:37:12 +0100
How exactly does the attacker get access to the filesystem using XSLT?
An attacker can read files using either the doc-as-string() extension function or a XML External Entity attack. Write access is done via the <exsl:document> extension element. Depending of your policy, you may want to affect one, two or three CVE (one by vector ? by impact ? by type of bug ?).
Does everything using 4Suite have this issue?
Yes. Unless an obscure and undocumented option allows to deactivate this behavior :-( My XSLT Wiki has some additional details, including PoC code : - http://goo.gl/3A7h2 (4Suite) - http://goo.gl/GI5NK (MoinMoin) Regards, Nicolas
Current thread:
- XSLT issue in MoinMoin Nicolas Grégoire (Jan 24)
- Re: XSLT issue in MoinMoin Kurt Seifried (Jan 24)
- Re: XSLT issue in MoinMoin Nicolas Grégoire (Jan 24)
- Re: XSLT issue in MoinMoin Kurt Seifried (Jan 26)
- Re: XSLT issue in MoinMoin Nicolas Grégoire (Jan 24)
- Re: XSLT issue in MoinMoin Kurt Seifried (Jan 24)