php-gettext php code execution in select_string, ngettext, npgettext count parameter <1.0.12

[crashenator () gmail com]

CERT ID - VU#520504 (pending since 2015)
Product - php-gettext
Company - Danilo Segan
Name - php-gettext php code execution
Versions - <1.0.12
Patched - 11/11/2015
Ref: https://launchpad.net/php-gettext/trunk/1.0.12
Vulnerability - "code injection into the ngettext family of calls: 
evaluating the plural form formula can execute arbitrary code if number 
is passed unsanitized from the untrusted user."
Description -
In 1.0.11 and lower the select_string function appears as the following:

  /**
   * Detects which plural form to take
   *
   * @access private
   * @param n count
   * @return int array index of the right plural form
   */
  function select_string($n) {
    $string = $this->get_plural_forms();
    $string = str_replace('nplurals',"\$total",$string);
    $string = str_replace("n",$n,$string);
    $string = str_replace('plural',"\$plural",$string);
    $total = 0;
    $plural = 0;
    eval("$string");
    if ($plural >= $total) $plural = $total - 1;
    return $plural;
  }

The vulnerability here lies in the fact that $string is evaluated as PHP 
code.  If the plural form contains an 'n', and the $n parameter is 
exposed to a malicious user, PHP code can be added to the value of 
$string before it is evaluated.  For websites, this means that a 
vulnerable application could allow an attacker to run PHP code on your 
site and potentially gain control of it.

The $n parameter in select_string can also be exposed through ngettext 
and npgettext as the $number parameter.

The new release 1.0.12 was made available shortly after notification in 
2015 and resolves the issue by raising an exception during non-numeric 
input to these parameters.

_______________________________________________
Sent through the Full Disclosure mailing list
https://nmap.org/mailman/listinfo/fulldisclosure
Web Archives & RSS: http://seclists.org/fulldisclosure/