Date: Tue, 24 Jan 2012 13:39:34 -0700 From: Kurt Seifried <kseifried@...hat.com> To: oss-security@...ts.openwall.com CC: Nicolas Grégoire <nicolas.gregoire@...rri.fr> Subject: Re: XSLT issue in MoinMoin On 01/24/2012 01:07 PM, Nicolas Grégoire wrote: > Hello, > > some vulnerabilities have been published with version 1.9.3 of > MoinMoin : http://moinmo.in/SecurityFixes > > The XSS already has a CVE but not the XSLT issue. This issue is very > similar to CVE-2012-0057 patched in PHP 5.3.9 (except the XSLT engine > which is here '4Suite'). > > The patch is simply a documentation update, given that 4Suite (afaik) > doesn't allow to desactivate its extensions : > http://hg.moinmo.in/moin/1.9/rev/99e2309a7ec0 > > Regards, > Nicolas Grégoire How exactly does the attacker get access to the filesystem using XSLT? Does everything using 4Suite have this issue? -- -- Kurt Seifried / Red Hat Security Response Team
Powered by blists - more mailing lists
Please check out the Open Source Software Security Wiki, which is counterpart to this mailing list.
Powered by Openwall GNU/*/Linux - Powered by OpenVZ