Home page logo

oss-sec logo oss-sec mailing list archives

Re: XSLT issue in MoinMoin
From: Kurt Seifried <kseifried () redhat com>
Date: Thu, 26 Jan 2012 16:48:50 -0700

On 01/24/2012 02:37 PM, Nicolas Grégoire wrote:

How exactly does the attacker get access to the filesystem using XSLT?

An attacker can read files using either the doc-as-string() extension
function or a XML External Entity attack. Write access is done via the
<exsl:document> extension element.

Depending of your policy, you may want to affect one, two or three CVE
(one by vector ? by impact ? by type of bug ?).

Does everything using 4Suite have this issue?

Yes. Unless an obscure and undocumented option allows to deactivate this
behavior :-(

My XSLT Wiki has some additional details, including PoC code :
- http://goo.gl/3A7h2 (4Suite)
- http://goo.gl/GI5NK (MoinMoin)


I think this issue warrants some more discussion, is the vuln in
moinmoin (and by extension anyone using 4Suite in a similar manner), or
is it a 4Suite issue (and in this case it's intended behaviour and not a
security issue?). Steve: care to weigh in?

Kurt Seifried Red Hat Security Response Team (SRT)

  By Date           By Thread  

Current thread:
[ Nmap | Sec Tools | Mailing Lists | Site News | About/Contact | Advertising | Privacy ]