Date: Sat, 14 Jan 2012 12:31:12 -0700 From: Kurt Seifried <kseifried@...hat.com> To: oss-security@...ts.openwall.com CC: Ignacio Espinosa <osu@...dvis.net>, Nicolas Grégoire <nicolas.gregoire@...rri.fr> Subject: Re: CVE affected for PHP 5.3.9 ? On 01/14/2012 12:03 PM, Ignacio Espinosa wrote: > On Fri, 13 Jan 2012 13:50:59 -0700 > Kurt Seifried <kseifried@...hat.com> wrote: >> [...] >> Ok I'm still not clear on what the security claim is. Are you saying you >> can cause arbitrary text output via XSL/XML mangling tricks? And >> combined with having a script that uses something like "<sax:output >> href="0wn3d.php" method="text">" you can put arbitrary text content into >> this file which could then result in the file being parsed? The problem >> is you'd have to write a script that does this, writes to a local file >> with a file ending in .php or .shtml or whatever, in which case it's >> pretty clear the script writer MEANT to do that. Again I'm still not >> clear on what/how a security boundary is being crossed. How does this >> elevate privileges or give you remote access that you wouldn't already >> if you can upload arbitrary PHP scripts? >> >> > You don't need to upload arbitrary php scripts to make this works. Just uploading a crafted xslt file will create (before patch) a file with arbitrary content, php code for example, as write-access is set for default. > > -- snip -- > <sax:output href="0wn3d.php" method="text"> > <xsl:value-of select="'<?php system(\$_GET["cmd"]);?>'"/> > -- snip -- > > Right but the script has to have the line <sax:output href="0wn3d.php" method="text"> which means the author really meant to do this (output a php or shtml or whatever file), or can the attacker somehow control the output href commonly? It appears that this is not the case. This does not appear to be a security vulnerability. -- -- Kurt Seifried / Red Hat Security Response Team
Powered by blists - more mailing lists
Please check out the Open Source Software Security Wiki, which is counterpart to this mailing list.
Powered by Openwall GNU/*/Linux - Powered by OpenVZ