Full Disclosure mailing list archives
php-gettext php code execution in select_string, ngettext, npgettext count parameter <1.0.12
From: crashenator () gmail com
Date: Mon, 15 Aug 2016 06:59:36 -0500
CERT ID - VU#520504 (pending since 2015) Product - php-gettext Company - Danilo Segan Name - php-gettext php code execution Versions - <1.0.12 Patched - 11/11/2015 Ref: https://launchpad.net/php-gettext/trunk/1.0.12Vulnerability - "code injection into the ngettext family of calls: evaluating the plural form formula can execute arbitrary code if number is passed unsanitized from the untrusted user."
Description - In 1.0.11 and lower the select_string function appears as the following: /** * Detects which plural form to take * * @access private * @param n count * @return int array index of the right plural form */ function select_string($n) { $string = $this->get_plural_forms(); $string = str_replace('nplurals',"\$total",$string); $string = str_replace("n",$n,$string); $string = str_replace('plural',"\$plural",$string); $total = 0; $plural = 0; eval("$string"); if ($plural >= $total) $plural = $total - 1; return $plural; }The vulnerability here lies in the fact that $string is evaluated as PHP code. If the plural form contains an 'n', and the $n parameter is exposed to a malicious user, PHP code can be added to the value of $string before it is evaluated. For websites, this means that a vulnerable application could allow an attacker to run PHP code on your site and potentially gain control of it.
The $n parameter in select_string can also be exposed through ngettext and npgettext as the $number parameter.
The new release 1.0.12 was made available shortly after notification in 2015 and resolves the issue by raising an exception during non-numeric input to these parameters.
_______________________________________________ Sent through the Full Disclosure mailing list https://nmap.org/mailman/listinfo/fulldisclosure Web Archives & RSS: http://seclists.org/fulldisclosure/
Current thread:
- php-gettext php code execution in select_string, ngettext, npgettext count parameter <1.0.12 crashenator (Aug 16)