ESIGate supports esi:include tag along with the stylesheet attribute. This attribute can be a remote XSLT. This feature can allow an attacker to execute code on the remote server.
We have to switch the XSLT parser to secure mode in order to prevent execution of malicious commands inserted in stylesheets.
This bug was found by Benoit Côté-Jodoin and reported by Philippe Arteau from GoSecure
The text was updated successfully, but these errors were encountered:
ESIGate supports esi:include tag along with the stylesheet attribute. This attribute can be a remote XSLT. This feature can allow an attacker to execute code on the remote server.
We have to switch the XSLT parser to secure mode in order to prevent execution of malicious commands inserted in stylesheets.
This bug was found by Benoit Côté-Jodoin and reported by Philippe Arteau from GoSecure
The text was updated successfully, but these errors were encountered: