Openwall GNU/*/Linux - a small security-enhanced Linux distro for servers
[<prev] [next>] [<thread-prev] [thread-next>] [day] [month] [year] [list]
Date: Fri, 13 Jan 2012 21:41:42 -0700
From: Kurt Seifried <kseifried@...hat.com>
To: oss-security@...ts.openwall.com
CC: Nicolas Grégoire <nicolas.gregoire@...rri.fr>
Subject: Re: CVE affected for PHP 5.3.9 ?

On 01/13/2012 03:30 PM, Nicolas Grégoire wrote:
> Le vendredi 13 janvier 2012 à 13:50 -0700, Kurt Seifried a écrit :
>> Again I'm still not clear on what/how a security boundary is being
>> crossed. How does this elevate privileges or give you remote access
>> that you wouldn't already if you can upload arbitrary PHP scripts?
> XSLT 1.0, as defined by the W3C, doesn't allow to save the result of a
> XSL transformation to the file system. This feature is an extension
> provided by libxslt itself. As PHP 5 uses libxslt as its XSLT engine,
> PHP applications parsing external/untrusted XSLT expose this feature.
>
> An attacker can provide specially crafted XSLT code which will create an
> arbitrary file with chosen content ("0wn3d.php" in my example). Then,
> this PHP file is requested by the attacker and executed.
>
> Somewhat similar to an undocumented file upload feature ...
Right, but in this case to upload the file you need to put a custom php
script on the server, so no additional privilege or access is gained. Is
it common for these scripts to allow a remote user to specify the output
location (this seems unlikely to me)?
> Regards,
> Nicolas
>
>


-- 

-- Kurt Seifried / Red Hat Security Response Team

Powered by blists - more mailing lists

Please check out the Open Source Software Security Wiki, which is counterpart to this mailing list.

Powered by Openwall GNU/*/Linux - Powered by OpenVZ