[prev in list] [next in list] [prev in thread] [next in thread] 

List:       oss-security
Subject:    Re: [oss-security] XSLT issue in MoinMoin
From:       Kurt Seifried <kseifried () redhat ! com>
Date:       2012-01-26 23:48:50
Message-ID: 4F21E662.8060308 () redhat ! com
[Download RAW message or body]

On 01/24/2012 02:37 PM, Nicolas Grégoire wrote:
> 
>> How exactly does the attacker get access to the filesystem using XSLT?
> 
> An attacker can read files using either the doc-as-string() extension
> function or a XML External Entity attack. Write access is done via the
> <exsl:document> extension element.
> 
> Depending of your policy, you may want to affect one, two or three CVE
> (one by vector ? by impact ? by type of bug ?).
> 
>> Does everything using 4Suite have this issue?
> 
> Yes. Unless an obscure and undocumented option allows to deactivate this
> behavior :-(
> 
> My XSLT Wiki has some additional details, including PoC code :
> - http://goo.gl/3A7h2 (4Suite)
> - http://goo.gl/GI5NK (MoinMoin)
> 
> Regards,
> Nicolas
> 

I think this issue warrants some more discussion, is the vuln in
moinmoin (and by extension anyone using 4Suite in a similar manner), or
is it a 4Suite issue (and in this case it's intended behaviour and not a
security issue?). Steve: care to weigh in?

-- 
Kurt Seifried Red Hat Security Response Team (SRT)
[prev in list] [next in list] [prev in thread] [next in thread]