Openwall GNU/*/Linux - a small security-enhanced Linux distro for servers
[<prev] [next>] [<thread-prev] [thread-next>] [day] [month] [year] [list]
Date: Sat, 14 Jan 2012 12:31:12 -0700
From: Kurt Seifried <>
CC: Ignacio Espinosa <>,
        Nicolas Grégoire <>
Subject: Re: CVE affected for PHP 5.3.9 ?

On 01/14/2012 12:03 PM, Ignacio Espinosa wrote:
> On Fri, 13 Jan 2012 13:50:59 -0700
> Kurt Seifried <> wrote:
>> [...]
>> Ok I'm still not clear on what the security claim is. Are you saying you
>> can cause arbitrary text output via XSL/XML mangling tricks? And
>> combined with having a script that uses something like "<sax:output
>> href="0wn3d.php" method="text">" you can put arbitrary text content into
>> this file which could then result in the file being parsed? The problem
>> is you'd have to write a script that does this, writes to a local file
>> with a file ending in .php or .shtml or whatever, in which case it's
>> pretty clear the script writer MEANT to do that. Again I'm still not
>> clear on what/how a security boundary is being crossed. How does this
>> elevate privileges or give you remote access that you wouldn't already
>> if you can upload arbitrary PHP scripts?
> You don't need to upload arbitrary php scripts to make this works. Just uploading a crafted xslt file will create (before patch)  a file with arbitrary content, php code for example, as write-access is set for default.
> -- snip --
>         <sax:output href="0wn3d.php" method="text">
>         <xsl:value-of select="'&lt;?php system(\$_GET[&quot;cmd&quot;]);?&gt;'"/>
> -- snip --

Right but the script has to have the line

<sax:output href="0wn3d.php" method="text">

which means the author really meant to do this (output a php or shtml or whatever file), or can the attacker somehow control the output href commonly? It appears that this is not the case. This does not appear to be a security vulnerability. 


-- Kurt Seifried / Red Hat Security Response Team

Powered by blists - more mailing lists

Your e-mail address:

Please check out the Open Source Software Security Wiki, which is counterpart to this mailing list.

Powered by Openwall GNU/*/Linux - Powered by OpenVZ