oss-sec mailing list archives
Re: CVE affected for PHP 5.3.9 ?
From: Nicolas Grégoire <nicolas.gregoire () agarri fr>
Date: Sun, 15 Jan 2012 01:15:54 +0100
Right but the script has to have the line <sax:output href="0wn3d.php" method="text">
Wrong. The PHP code only has to call transformToXML() after having loaded the malicious XSLT code via importStylesheet(). The XML data itself is irrelevant for this bug and the "sax:output" tag isn't in the PHP script but in the XSLT stylesheet provided by the attacker. # LOAD XML FILE $XML = new DOMDocument(); $XML->loadXML( $sXml ); # LOAD XSLT FILE $XSL = new DOMDocument(); $XSL->loadXML( $sXsl ); // Content of $xXsl may be untrusted ! # START XSLT $xslt = new XSLTProcessor(); $xslt->importStylesheet( $XSL ); # TRASNFORM & PRINT print $xslt->transformToXML( $XML ); // File creation ! Nicolas
Current thread:
- CVE affected for PHP 5.3.9 ? Nicolas Grégoire (Jan 13)
- Re: CVE affected for PHP 5.3.9 ? Kurt Seifried (Jan 13)
- Re: CVE affected for PHP 5.3.9 ? Nicolas Grégoire (Jan 13)
- Re: CVE affected for PHP 5.3.9 ? Kurt Seifried (Jan 13)
- Re: CVE affected for PHP 5.3.9 ? Nicolas Grégoire (Jan 13)
- Re: CVE affected for PHP 5.3.9 ? Kurt Seifried (Jan 13)
- Re: CVE affected for PHP 5.3.9 ? Ignacio Espinosa (Jan 14)
- Re: CVE affected for PHP 5.3.9 ? Kurt Seifried (Jan 14)
- Re: CVE affected for PHP 5.3.9 ? Nicolas Grégoire (Jan 14)
- Re: CVE affected for PHP 5.3.9 ? Kurt Seifried (Jan 14)
- Re: CVE affected for PHP 5.3.9 ? Nicolas Grégoire (Jan 15)
- Re: CVE affected for PHP 5.3.9 ? Kurt Seifried (Jan 17)
- Re: CVE affected for PHP 5.3.9 ? Nicolas Grégoire (Jan 13)
- Re: CVE affected for PHP 5.3.9 ? Kurt Seifried (Jan 13)