Date: Tue, 18 Apr 2017 08:34:14 -0700 From: Ian Zimmerman <itz@...mate.net> To: oss-security@...ts.openwall.com Subject: Re: Apache XML Graphics FOP information disclosure vulnerability On 2017-04-18 09:18, Simon Steiner wrote: > CVE-2017-5661: > Apache XML Graphics FOP information disclosure vulnerability [...] > Description: > Files lying on the filesystem of the server which uses batik can be > revealed to arbitrary users who send maliciously formed SVG > files. The file types that can be shown depend on the user context in > which the exploitable application is running. If the user is root a > full compromise of the server--including confidential or sensitive > files--would be possible. > > XXE can also be used to attack the availability of the server via > denial of service as the references within a xml document can > trivially trigger an amplification attack. Was this a copy and paste accident? -- Please *no* private Cc: on mailing lists and newsgroups Personal signed mail: please _encrypt_ and sign Don't clear-text sign: http://primate.net/~itz/blog/the-problem-with-gpg-signatures.html
Powered by blists - more mailing lists
Please check out the Open Source Software Security Wiki, which is counterpart to this mailing list.
Powered by Openwall GNU/*/Linux - Powered by OpenVZ