Openwall GNU/*/Linux - a small security-enhanced Linux distro for servers
[<prev] [next>] [<thread-prev] [thread-next>] [day] [month] [year] [list]
Date: Sat, 14 Jan 2012 19:44:07 -0700
From: Kurt Seifried <kseifried@...hat.com>
To: oss-security@...ts.openwall.com
CC: Nicolas Grégoire <nicolas.gregoire@...rri.fr>
Subject: Re: CVE affected for PHP 5.3.9 ?

On 01/14/2012 05:15 PM, Nicolas Grégoire wrote:
>> Right but the script has to have the line
>> <sax:output href="0wn3d.php" method="text">
> Wrong.
>
> The PHP code only has to call transformToXML() after having loaded the
> malicious XSLT code via importStylesheet(). The XML data itself is
> irrelevant for this bug and the "sax:output" tag isn't in the PHP script
> but in the XSLT stylesheet provided by the attacker.
>
> # LOAD XML FILE 
> $XML = new DOMDocument(); 
> $XML->loadXML( $sXml ); 
>
> # LOAD XSLT FILE 
> $XSL = new DOMDocument(); 
> $XSL->loadXML( $sXsl ); // Content of $xXsl may be untrusted !
>
> # START XSLT 
> $xslt = new XSLTProcessor(); 
> $xslt->importStylesheet( $XSL );
>
> # TRASNFORM & PRINT 
> print $xslt->transformToXML( $XML ); // File creation !
>
> Nicolas
>
So the attacker can control the output file name/location via a
malformed input from the attacker only? This would have been good to
have in your original info (we could have avoided this back and forth).
Can you provide a reproducer (vuln script and a malicious input) that
shows this in action (e.g. creates a local php file).

-- 

-- Kurt Seifried / Red Hat Security Response Team

Powered by blists - more mailing lists

Please check out the Open Source Software Security Wiki, which is counterpart to this mailing list.

Powered by Openwall GNU/*/Linux - Powered by OpenVZ