Openwall GNU/*/Linux - a small security-enhanced Linux distro for servers
[<prev] [next>] [<thread-prev] [day] [month] [year] [list]
Date: Tue, 17 Jan 2012 20:20:04 -0700
From: Kurt Seifried <kseifried@...hat.com>
To: oss-security@...ts.openwall.com
CC: Nicolas Grégoire <nicolas.gregoire@...rri.fr>,
        security@....net
Subject: Re: CVE affected for PHP 5.3.9 ?

On 01/15/2012 10:08 AM, Nicolas Grégoire wrote:
>> Can you provide a reproducer (vuln script and a malicious input) that
>> shows this in action (e.g. creates a local php file).
> Please find attached the "php539-xslt.php" script.
>
> This script displays by default a pre-filled HTML form including some
> XML data and XSLT code. When the form is submitted, the user-controlled
> XML data is transformed using the user-controlled XSLT code. Then, the
> output of this transformation is displayed in the browser.
>
> When executed, the pre-filled XSLT code will write
> to /var/www/xxx/backdoor.php this content :
>
> <html><body>
> <h1><font color="red">I'm a (very) malicious PHP file !!!</font></h1>
> <?php phpinfo()?>
> </body></html>
>
> Note : the payload is encrypted with RC4. A static key ("simple_demo")
> embedded in the XSLT code is used to decrypt it.
>
> Regards,
> Nicolas
>
>
Apologies for the delay, this is definitely an issue. Please use
CVE-2012-0057 for this issue.

-- 

-- Kurt Seifried / Red Hat Security Response Team

Powered by blists - more mailing lists

Please check out the Open Source Software Security Wiki, which is counterpart to this mailing list.

Powered by Openwall GNU/*/Linux - Powered by OpenVZ