Bug 3537 - WebMDS security -- remote users can determine some information about local files
: WebMDS security -- remote users can determine some information about local files
: MDS4
: development
: PC Windows XP
: P3 blocker
: 4.0.1
Assigned To:
  Show dependency treegraph
Reported: 2005-07-01 15:42 by
Modified: 2005-07-06 10:14 (History)



You need to log in before you can comment on or make changes to this bug.

Description From 2005-07-01 15:42:21
The default WebMDS deployment allows users to query arbitrary services for
arbitrary resource properties.  It's also possible for a user to specify that
the result of one of these arbitrary queries should be used as an XSLT
transformation.  Since XSLT transforms allow "include" statements, a malicious
user could write a service that published a resource property that consisted of
an XSLT transform that had an include directive specifying some system file.  If
a transform had an include directive for "/some/file", the remote user would be
able to determine:

1.  Whether or not "/some/file" exists and is readable by the Tomcat user.
2.  If so, whether or not "/some/file" contains XML data.
3.  If "/some/file" contains an XSLT transform, they'll be able to observe the
results of that transform.

Currently, the workaround is to allow only trusted services as the targets of
WebMDS resource property requests, and to configure WebMDS not to allow users to
specify the endpoints of resource property requests.  With a standard,
out-of-the-box WebMDS distribution, this can be accomplished by removing the
file $GLOBUS_LOCATION/lib/webmds/conf/openEndedRP.

The real solution is to add a configuraiton parameter to the XML Sources to
specify whether or not they're suitable for use for XSL transforms.  In real
life, people only use the file plugin for this purpose anyway, and each file xml
source is fully configured on the server (i.e., the clients can't override what
file is read).
------- Comment #1 From 2005-07-03 21:13:37 -------
Added a suitableForXSL parameter to the xml source configuration schema; this
must be true for an xml source to be used as a source of XSL.