Bugzilla – Bug 3537
WebMDS security -- remote users can determine some information about local files
Last modified: 2005-07-06 10:14:19
You need to
before you can comment on or make changes to this bug.
The default WebMDS deployment allows users to query arbitrary services for
arbitrary resource properties. It's also possible for a user to specify that
the result of one of these arbitrary queries should be used as an XSLT
transformation. Since XSLT transforms allow "include" statements, a malicious
user could write a service that published a resource property that consisted of
an XSLT transform that had an include directive specifying some system file. If
a transform had an include directive for "/some/file", the remote user would be
able to determine:
1. Whether or not "/some/file" exists and is readable by the Tomcat user.
2. If so, whether or not "/some/file" contains XML data.
3. If "/some/file" contains an XSLT transform, they'll be able to observe the
results of that transform.
Currently, the workaround is to allow only trusted services as the targets of
WebMDS resource property requests, and to configure WebMDS not to allow users to
specify the endpoints of resource property requests. With a standard,
out-of-the-box WebMDS distribution, this can be accomplished by removing the
The real solution is to add a configuraiton parameter to the XML Sources to
specify whether or not they're suitable for use for XSL transforms. In real
life, people only use the file plugin for this purpose anyway, and each file xml
source is fully configured on the server (i.e., the clients can't override what
file is read).
Added a suitableForXSL parameter to the xml source configuration schema; this
must be true for an xml source to be used as a source of XSL.