Re: XSLT issue in MoinMoin

[Nicolas Grégoire <nicolas.gregoire () agarri fr>]

> How exactly does the attacker get access to the filesystem using XSLT?

An attacker can read files using either the doc-as-string() extension
function or a XML External Entity attack. Write access is done via the
<exsl:document> extension element.

Depending of your policy, you may want to affect one, two or three CVE
(one by vector ? by impact ? by type of bug ?).

> Does everything using 4Suite have this issue?

Yes. Unless an obscure and undocumented option allows to deactivate this
behavior :-(

My XSLT Wiki has some additional details, including PoC code :
- http://goo.gl/3A7h2 (4Suite)
- http://goo.gl/GI5NK (MoinMoin)

Regards,
Nicolas