Date: Sat, 14 Jan 2012 19:44:07 -0700 From: Kurt Seifried <kseifried@...hat.com> To: oss-security@...ts.openwall.com CC: Nicolas Grégoire <nicolas.gregoire@...rri.fr> Subject: Re: CVE affected for PHP 5.3.9 ? On 01/14/2012 05:15 PM, Nicolas Grégoire wrote: >> Right but the script has to have the line >> <sax:output href="0wn3d.php" method="text"> > Wrong. > > The PHP code only has to call transformToXML() after having loaded the > malicious XSLT code via importStylesheet(). The XML data itself is > irrelevant for this bug and the "sax:output" tag isn't in the PHP script > but in the XSLT stylesheet provided by the attacker. > > # LOAD XML FILE > $XML = new DOMDocument(); > $XML->loadXML( $sXml ); > > # LOAD XSLT FILE > $XSL = new DOMDocument(); > $XSL->loadXML( $sXsl ); // Content of $xXsl may be untrusted ! > > # START XSLT > $xslt = new XSLTProcessor(); > $xslt->importStylesheet( $XSL ); > > # TRASNFORM & PRINT > print $xslt->transformToXML( $XML ); // File creation ! > > Nicolas > So the attacker can control the output file name/location via a malformed input from the attacker only? This would have been good to have in your original info (we could have avoided this back and forth). Can you provide a reproducer (vuln script and a malicious input) that shows this in action (e.g. creates a local php file). -- -- Kurt Seifried / Red Hat Security Response Team
Powered by blists - more mailing lists
Please check out the Open Source Software Security Wiki, which is counterpart to this mailing list.
Powered by Openwall GNU/*/Linux - Powered by OpenVZ