XSL Stylesheet Security Update

Written by: John
Written on: Wed Feb 24, 2021 8:19 am
Last modified: Wed Feb 24, 2021 10:33 am
Views: 14735

Description: Properly encoding admin messages

Categories: Search Appliance, Webinator

Link to this article: Select all

[url=https://forums.thunderstone.com/app.php/kb/viewarticle?a=2&sid=c3f289c7e3583877c776ebb4a73b58a2]Knowledge Base - XSL Stylesheet Security Update[/url]
If you have an XSL file that is based off the default.xsl provided in versions prior to 22.7.0 then messages that may be useful for the administrator to debug query problems were put in HTML comments, however a crafted bad query could break out of the comment causing HTML injection or cross-site scripting concerns.

To fix the code you will need to edit the XSL file for the profile, replacing the section that looks like:

Code: Select all

<xsl:otherwise>
     <!-- not admin-mode, put the admin message in a
      HTML comment -->
   <xsl:comment><xsl:value-of select="concat(' ', @code,
      ' ',@script, ':', @line,
      ': ', .)"/></xsl:comment>
</xsl:otherwise>
with

Code: Select all

<xsl:otherwise>
   <!-- not admin-mode, put the admin message in a hidden span.  <xsl:comment> doesn't escape  -->
   <span style="display: none">
     <xsl:value-of select="concat('admin message: ', @code, ' ',@script, ':', @line, ': ', .)"/>
   </span>
</xsl:otherwise>

Nessus plugin 39466 and 49067
CWE #20,CWE #74,CWE #79,CWE #80,CWE #81,CWE #83,CWE #86,CWE #116,CWE #442,CWE #692,CWE #712,CWE #722,CWE #725,CWE #751,CWE #801,CWE #811,CWE #928,CWE #931
XSS