Openwall GNU/*/Linux - a small security-enhanced Linux distro for servers
[<prev] [next>] [<thread-prev] [thread-next>] [day] [month] [year] [list]
Date: Sun, 15 Jan 2012 01:15:54 +0100
From: Nicolas Grégoire <nicolas.gregoire@...rri.fr>
To: oss-security@...ts.openwall.com
Subject: Re: CVE affected for PHP 5.3.9 ?


> Right but the script has to have the line
> <sax:output href="0wn3d.php" method="text">

Wrong.

The PHP code only has to call transformToXML() after having loaded the
malicious XSLT code via importStylesheet(). The XML data itself is
irrelevant for this bug and the "sax:output" tag isn't in the PHP script
but in the XSLT stylesheet provided by the attacker.

# LOAD XML FILE 
$XML = new DOMDocument(); 
$XML->loadXML( $sXml ); 

# LOAD XSLT FILE 
$XSL = new DOMDocument(); 
$XSL->loadXML( $sXsl ); // Content of $xXsl may be untrusted !

# START XSLT 
$xslt = new XSLTProcessor(); 
$xslt->importStylesheet( $XSL );

# TRASNFORM & PRINT 
print $xslt->transformToXML( $XML ); // File creation !

Nicolas

Powered by blists - more mailing lists

Please check out the Open Source Software Security Wiki, which is counterpart to this mailing list.

Powered by Openwall GNU/*/Linux - Powered by OpenVZ