[Webkit-unassigned] [Bug 52688] New: XSLT security issue

bugzilla-daemon at webkit.org bugzilla-daemon at webkit.org
Tue Jan 18 17:17:24 PST 2011 

https://bugs.webkit.org/show_bug.cgi?id=52688

           Summary: XSLT security issue
           Product: WebKit
           Version: 528+ (Nightly build)
          Platform: PC
        OS/Version: Mac OS X 10.5
            Status: NEW
          Severity: Normal
          Priority: P2
         Component: XML
        AssignedTo: webkit-unassigned at lists.webkit.org
        ReportedBy: xan.lopez at gmail.com


This was reported to GNOME's bugzilla as a security issue in Epiphany; it also happens in Safari (but not in Chrome, interestingly), so forwarding it here. It's pretty serious.

---

Reported by Nicolas Grégoire <nicolas.gregoire at agarri.fr> to
security at gnome.org.

Email itself:
"Hello,

I recently found a security bug in Epiphany. Please find some details below ...

Summary : When browsing a malicious web page, a file (whom location and content
are choosen by the attacker) can be created on the computer of the user. This
could be used to gain command execution, for example by creating a .bashrc file
in $HOME.

Bug description : The Epiphany browser use libxslt for applying transforms to
XML content. The libxslt library supports XSLT extensions like "output", which
allow to redirect results to a file. These extensions aren't restricted in
Epiphany, so remote pages can use them. I checked others browsers using libxslt
but they don't exhibit the same behavior. This is *not* a bug in libxslt.

PoC : A simple XML file and the malicious XSLT are attached. In order to
reproduce, just put these files on a web server and browse the XML one with
Epiphany. A "/tmp/0wn3d" file will be created client-side.

Intended disclosure : This vulnerability was found during a research project
affecting numerous applications processing XSL transformations. This project
will be presented at some security conferences during this
spring. Publication of vulnerabilities unpatched at this time will be delayed,
but not publication of the related tools and methodologies.

Regards,
Nicolas Grégoire"

-- 
Configure bugmail: https://bugs.webkit.org/userprefs.cgi?tab=email
------- You are receiving this mail because: -------
You are the assignee for the bug.

More information about the webkit-unassigned mailing list