CVEXXX - Remote Code Execution on XSLT processing

Summary

An attacker can execute code on an esigate instance by injecting a malicious XSLT stylesheet in a backend/provider application. This requires control of the backend/provider

Who should read this All esigate admins
Impact of vulnerability Possible Remote Code Execution when an attacker has control of backend/provider application (direct or using another vulnerability in these applications) .
Maximum security rating Critical
Recommendation Upgrade to esigate 5.3
Affected Software Esigate 5.2 and lower.
Reporter This bug was found by Benoit Côté-Jodoin from GoSecure.
CVE Identifier To be assigned

Problem

ESIGate supports <esi:include> tag along with the stylesheet attribute. This attribute can be a remote XSLT. This feature can allow an attacker to execute code on the remote server. The attack scenario requires the attacker to reflect a <esi:include> tag in any page (Any XSS-like injection point). From this injection point, the include tag will point to any page and to a remote malicious stylesheet.

Solution

Update to esigate 5.3.

XSLT processing has been switched to secure mode, preventing advanced extensions to be used. Esigate will display an error is a malicious XSLT stylesheet is used.

Compatibility

No backward compatibility issue is expected

Workaround

No workaround exists other than ensuring that attacker cannot inject html tags into backend/provider application.

comments powered by Disqus