Date: Tue, 17 Jan 2012 20:20:04 -0700 From: Kurt Seifried <kseifried@...hat.com> To: oss-security@...ts.openwall.com CC: Nicolas Grégoire <nicolas.gregoire@...rri.fr>, security@....net Subject: Re: CVE affected for PHP 5.3.9 ? On 01/15/2012 10:08 AM, Nicolas Grégoire wrote: >> Can you provide a reproducer (vuln script and a malicious input) that >> shows this in action (e.g. creates a local php file). > Please find attached the "php539-xslt.php" script. > > This script displays by default a pre-filled HTML form including some > XML data and XSLT code. When the form is submitted, the user-controlled > XML data is transformed using the user-controlled XSLT code. Then, the > output of this transformation is displayed in the browser. > > When executed, the pre-filled XSLT code will write > to /var/www/xxx/backdoor.php this content : > > <html><body> > <h1><font color="red">I'm a (very) malicious PHP file !!!</font></h1> > <?php phpinfo()?> > </body></html> > > Note : the payload is encrypted with RC4. A static key ("simple_demo") > embedded in the XSLT code is used to decrypt it. > > Regards, > Nicolas > > Apologies for the delay, this is definitely an issue. Please use CVE-2012-0057 for this issue. -- -- Kurt Seifried / Red Hat Security Response Team
Powered by blists - more mailing lists
Please check out the Open Source Software Security Wiki, which is counterpart to this mailing list.
Powered by Openwall GNU/*/Linux - Powered by OpenVZ