Re: CVE affected for PHP 5.3.9 ?

[Kurt Seifried <kseifried () redhat com>]

On 01/14/2012 12:03 PM, Ignacio Espinosa wrote:
> On Fri, 13 Jan 2012 13:50:59 -0700
> Kurt Seifried <kseifried () redhat com> wrote:
> > [...]
> > Ok I'm still not clear on what the security claim is. Are you saying you
> > can cause arbitrary text output via XSL/XML mangling tricks? And
> > combined with having a script that uses something like "<sax:output
> > href="0wn3d.php" method="text">" you can put arbitrary text content into
> > this file which could then result in the file being parsed? The problem
> > is you'd have to write a script that does this, writes to a local file
> > with a file ending in .php or .shtml or whatever, in which case it's
> > pretty clear the script writer MEANT to do that. Again I'm still not
> > clear on what/how a security boundary is being crossed. How does this
> > elevate privileges or give you remote access that you wouldn't already
> > if you can upload arbitrary PHP scripts?
> You don't need to upload arbitrary php scripts to make this works. Just uploading a crafted xslt file will create 
> (before patch)  a file with arbitrary content, php code for example, as write-access is set for default.
>
> -- snip --
>         <sax:output href="0wn3d.php" method="text">
>         <xsl:value-of select="'&lt;?php system(\$_GET[&quot;cmd&quot;]);?&gt;'"/>
> -- snip --

Right but the script has to have the line

<sax:output href="0wn3d.php" method="text">

which means the author really meant to do this (output a php or shtml or whatever file), or can the attacker somehow 
control the output href commonly? It appears that this is not the case. This does not appear to be a security 
vulnerability. 

-- 

-- Kurt Seifried / Red Hat Security Response Team