[prev in list] [next in list] [prev in thread] [next in thread]
List: oss-security
Subject: Re: [oss-security] XSLT issue in MoinMoin
From: Kurt Seifried <kseifried () redhat ! com>
Date: 2012-01-26 23:48:50
Message-ID: 4F21E662.8060308 () redhat ! com
[Download RAW message or body]
On 01/24/2012 02:37 PM, Nicolas Grégoire wrote:
>
>> How exactly does the attacker get access to the filesystem using XSLT?
>
> An attacker can read files using either the doc-as-string() extension
> function or a XML External Entity attack. Write access is done via the
> <exsl:document> extension element.
>
> Depending of your policy, you may want to affect one, two or three CVE
> (one by vector ? by impact ? by type of bug ?).
>
>> Does everything using 4Suite have this issue?
>
> Yes. Unless an obscure and undocumented option allows to deactivate this
> behavior :-(
>
> My XSLT Wiki has some additional details, including PoC code :
> - http://goo.gl/3A7h2 (4Suite)
> - http://goo.gl/GI5NK (MoinMoin)
>
> Regards,
> Nicolas
>
I think this issue warrants some more discussion, is the vuln in
moinmoin (and by extension anyone using 4Suite in a similar manner), or
is it a 4Suite issue (and in this case it's intended behaviour and not a
security issue?). Steve: care to weigh in?
--
Kurt Seifried Red Hat Security Response Team (SRT)
[prev in list] [next in list] [prev in thread] [next in thread]
Configure |
About |
News |
Add a list |
Sponsored by KoreLogic