On Wed, 2018-03-14 at 16:40 -0500, Eliot Kimber wrote: > Anyway, the original sample doc was (is) valid and the injection can > be done if you have access to the ML server’s file system and ML has > read access to a directory you can write to and you can create and > can run XQuery to load the file from the server’s file system.
Note, this lets you read any file that the server can access, as long as it's well-formed. But you could do that if you could run a query, too. For example, /etc/passwd is a common one, to get a list of accounts on the system, if it's Unix-like enough. Running a server in a chroot'd partition (or a container) mitigates that attack and is generally a good idea where security is important. Infinite files like /dev/random or /dev/zero might be a bigger problem, although i didn't try. Liam -- Liam Quin, W3C, http://www.w3.org/People/Quin/ Staff contact for Verifiable Claims WG, SVG WG, XQuery WG Improving Web Advertising: https://www.w3.org/community/web-adv/ Personal: awesome vintage art: http://www.fromoldbooks.org/ _______________________________________________ General mailing list General@developer.marklogic.com Manage your subscription at: http://developer.marklogic.com/mailman/listinfo/general
