Date: Fri, 13 Jan 2012 21:41:42 -0700 From: Kurt Seifried <kseifried@...hat.com> To: oss-security@...ts.openwall.com CC: Nicolas Grégoire <nicolas.gregoire@...rri.fr> Subject: Re: CVE affected for PHP 5.3.9 ? On 01/13/2012 03:30 PM, Nicolas Grégoire wrote: > Le vendredi 13 janvier 2012 à 13:50 -0700, Kurt Seifried a écrit : >> Again I'm still not clear on what/how a security boundary is being >> crossed. How does this elevate privileges or give you remote access >> that you wouldn't already if you can upload arbitrary PHP scripts? > XSLT 1.0, as defined by the W3C, doesn't allow to save the result of a > XSL transformation to the file system. This feature is an extension > provided by libxslt itself. As PHP 5 uses libxslt as its XSLT engine, > PHP applications parsing external/untrusted XSLT expose this feature. > > An attacker can provide specially crafted XSLT code which will create an > arbitrary file with chosen content ("0wn3d.php" in my example). Then, > this PHP file is requested by the attacker and executed. > > Somewhat similar to an undocumented file upload feature ... Right, but in this case to upload the file you need to put a custom php script on the server, so no additional privilege or access is gained. Is it common for these scripts to allow a remote user to specify the output location (this seems unlikely to me)? > Regards, > Nicolas > > -- -- Kurt Seifried / Red Hat Security Response Team
Powered by blists - more mailing lists
Please check out the Open Source Software Security Wiki, which is counterpart to this mailing list.
Powered by Openwall GNU/*/Linux - Powered by OpenVZ