Engine_libxslt
- Introduction
- Supported version
- Command line
- Identification strings
- Known parser bugs
- Special features
- File creation
- Cryptographic functions
Introduction
libxslt is a C based XSLT engine developed for the GNOME project.
Supported version
1.0
Command line
$> xsltproc foo.xsl foo.xml
Identification strings
| xsl:vendor-url | http://xmlsoft.org/XSLT/ |
|---|---|
| xsl:vendor | libxslt |
| xsl:version | 1.0 |
Known parser bugs
| CVE | Title | Ticket | Credits |
|---|---|---|---|
| CVE-2012-2825 | Wild read in XSL handling | https://code.google.com/p/chromium/issues/detail?id=127417 | Nicolas Gregoire |
| http://www.w3.org/1999/XSL/Transform | document | href | |
| http://www.jclark.com/xt | document | href | |
| http://exslt.org/common | document | href | |
| org.apache.xalan.xslt.extensions.Redirect | write | href | |
| http://icl.com/saxon | output | href |
- Wild read CVE-2012-2825
- Medium CVE-2012-2825: Wild read in XSL handling. Credit to Nicholas Gregoire.
- [110277] Medium CVE-2011-3970: Out-of-bounds read in libxslt. Credit to Aki Helin of OUSPG.
[129930] High CVE-2012-2807: Integer overflows in libxml. Credit to Jüri Aedla.
[125462] High CVE-2011-3102: Off-by-one out-of-bounds write in libxml. Credit to Jüri Aedla.
[107128] High CVE-2011-3919: Heap-buffer-overflow in libxml. Credit to Jüri Aedla.
[95465] Low CVE-2011-3905: Out-of-bounds reads in libxml. Credit to Google Chrome Security Team (Inferno)
[93472] High CVE-2011-2834: Double free in libxml XPath handling. Credit to Yang Dingning from NCNIPC, Graduate University of Chinese Academy of Sciences.
[89402] High CVE-2011-2821: Double free in libxml XPath handling. Credit to Yang Dingning from NCNIPC, Graduate University of Chinese Academy of Sciences.
| Namespace | Extension element | Parameter | PoC |
|---|---|---|---|
| http://www.w3.org/1999/XSL/Transform | document | href | |
| http://www.jclark.com/xt | document | href | |
| http://exslt.org/common | document | href | |
| org.apache.xalan.xslt.extensions.Redirect | write | href | |
| http://icl.com/saxon | output | href |
Special features
- File creation
- Cryptographic functions
File creation
Several functions, associated at different namespaces, allow to create files on the engine side. They're all aliases to the xsltDocumentElem() function defined in libxslt/transform.c. The content written to the file must be valid UTF-8 (so plain ASCII works too). Existing files can be overwritten.
| Namespace | Extension element | Parameter | PoC |
|---|---|---|---|
| http://www.w3.org/1999/XSL/Transform | document | href | |
| http://www.jclark.com/xt | document | href | |
| http://exslt.org/common | document | href | |
| org.apache.xalan.xslt.extensions.Redirect | write | href | |
| http://icl.com/saxon | output | href |
Note : The first line uses the standard XSLT namespace, which is always available.