Openwall GNU/*/Linux - a small security-enhanced Linux distro for servers
[<prev] [next>] [<thread-prev] [thread-next>] [day] [month] [year] [list]
Date: Sat, 14 Jan 2012 12:31:12 -0700
From: Kurt Seifried <kseifried@...hat.com>
To: oss-security@...ts.openwall.com
CC: Ignacio Espinosa <osu@...dvis.net>,
        Nicolas Grégoi
 re <nicolas.gregoire@...rri.fr>
Subject: Re: CVE affected for PHP 5.3.9 ?

On 01/14/2012 12:03 PM, Ignacio Espinosa wrote:
> On Fri, 13 Jan 2012 13:50:59 -0700
> Kurt Seifried <kseifried@...hat.com> wrote:
>> [...]
>> Ok I'm still not clear on what the security claim is. Are you saying you
>> can cause arbitrary text output via XSL/XML mangling tricks? And
>> combined with having a script that uses something like "<sax:output
>> href="0wn3d.php" method="text">" you can put arbitrary text content into
>> this file which could then result in the file being parsed? The problem
>> is you'd have to write a script that does this, writes to a local file
>> with a file ending in .php or .shtml or whatever, in which case it's
>> pretty clear the script writer MEANT to do that. Again I'm still not
>> clear on what/how a security boundary is being crossed. How does this
>> elevate privileges or give you remote access that you wouldn't already
>> if you can upload arbitrary PHP scripts?
>>
>>
> You don't need to upload arbitrary php scripts to make this works. Just uploading a crafted xslt file will create (before patch)  a file with arbitrary content, php code for example, as write-access is set for default.
>
> -- snip --
>         <sax:output href="0wn3d.php" method="text">
>         <xsl:value-of select="'&lt;?php system(\$_GET[&quot;cmd&quot;]);?&gt;'"/>
> -- snip --
>
>

Right but the script has to have the line

<sax:output href="0wn3d.php" method="text">

which means the author really meant to do this (output a php or shtml or whatever file), or can the attacker somehow control the output href commonly? It appears that this is not the case. This does not appear to be a security vulnerability. 

-- 

-- Kurt Seifried / Red Hat Security Response Team

Powered by blists - more mailing lists

Please check out the Open Source Software Security Wiki, which is counterpart to this mailing list.

Powered by Openwall GNU/*/Linux - Powered by OpenVZ