Home page logo

oss-sec logo oss-sec mailing list archives

Re: XSLT issue in MoinMoin
From: Nicolas Grégoire <nicolas.gregoire () agarri fr>
Date: Tue, 24 Jan 2012 22:37:12 +0100

How exactly does the attacker get access to the filesystem using XSLT?

An attacker can read files using either the doc-as-string() extension
function or a XML External Entity attack. Write access is done via the
<exsl:document> extension element.

Depending of your policy, you may want to affect one, two or three CVE
(one by vector ? by impact ? by type of bug ?).

Does everything using 4Suite have this issue?

Yes. Unless an obscure and undocumented option allows to deactivate this
behavior :-(

My XSLT Wiki has some additional details, including PoC code :
- http://goo.gl/3A7h2 (4Suite)
- http://goo.gl/GI5NK (MoinMoin)


  By Date           By Thread  

Current thread:
[ Nmap | Sec Tools | Mailing Lists | Site News | About/Contact | Advertising | Privacy ]