Date: Fri, 13 Jan 2012 19:08:19 +0100 From: Nicolas Grégoire <nicolas.gregoire@...rri.fr> To: oss-security@...ts.openwall.com Subject: Re: CVE affected for PHP 5.3.9 ? Le vendredi 13 janvier 2012 à 09:54 -0700, Kurt Seifried a écrit : > I'm not clear on how this crosses a security boundary Some applications *will* process untrusted XSLT stylesheets. The most basic example is online XSLT gateways : http://www.shell-tools.net/index.php?op=xslt http://online-toolz.com/tools/xslt-transformation.php You may find more with Google and a dork like [inurl:php inurl:"xsl=http"]. This is often used to adapt the layout of a page to the browser (desktop vs. mobile). There's too some more complex cases where untrusted XSLT may be used, like parsing SVG images, XML-DSig signatures or SAML tokens, ... Regards, Nicolas
Powered by blists - more mailing lists
Please check out the Open Source Software Security Wiki, which is counterpart to this mailing list.
Confused about mailing lists and their use? Read about mailing lists on Wikipedia and check out these guidelines on proper formatting of your messages.