oss-sec mailing list archives
Re: CVE affected for PHP 5.3.9 ?
From: Kurt Seifried <kseifried () redhat com>
Date: Tue, 17 Jan 2012 20:20:04 -0700
On 01/15/2012 10:08 AM, Nicolas Grégoire wrote:
Can you provide a reproducer (vuln script and a malicious input) that shows this in action (e.g. creates a local php file).Please find attached the "php539-xslt.php" script. This script displays by default a pre-filled HTML form including some XML data and XSLT code. When the form is submitted, the user-controlled XML data is transformed using the user-controlled XSLT code. Then, the output of this transformation is displayed in the browser. When executed, the pre-filled XSLT code will write to /var/www/xxx/backdoor.php this content : <html><body> <h1><font color="red">I'm a (very) malicious PHP file !!!</font></h1> <?php phpinfo()?> </body></html> Note : the payload is encrypted with RC4. A static key ("simple_demo") embedded in the XSLT code is used to decrypt it. Regards, Nicolas
Apologies for the delay, this is definitely an issue. Please use CVE-2012-0057 for this issue. -- -- Kurt Seifried / Red Hat Security Response Team
Current thread:
- Re: CVE affected for PHP 5.3.9 ?, (continued)
- Re: CVE affected for PHP 5.3.9 ? Kurt Seifried (Jan 13)
- Re: CVE affected for PHP 5.3.9 ? Nicolas Grégoire (Jan 13)
- Re: CVE affected for PHP 5.3.9 ? Kurt Seifried (Jan 13)
- Re: CVE affected for PHP 5.3.9 ? Nicolas Grégoire (Jan 13)
- Re: CVE affected for PHP 5.3.9 ? Kurt Seifried (Jan 13)
- Re: CVE affected for PHP 5.3.9 ? Ignacio Espinosa (Jan 14)
- Re: CVE affected for PHP 5.3.9 ? Kurt Seifried (Jan 14)
- Re: CVE affected for PHP 5.3.9 ? Nicolas Grégoire (Jan 14)
- Re: CVE affected for PHP 5.3.9 ? Kurt Seifried (Jan 14)
- Re: CVE affected for PHP 5.3.9 ? Nicolas Grégoire (Jan 15)
- Re: CVE affected for PHP 5.3.9 ? Kurt Seifried (Jan 17)
- Re: CVE affected for PHP 5.3.9 ? Nicolas Grégoire (Jan 13)
- Re: CVE affected for PHP 5.3.9 ? Kurt Seifried (Jan 13)