Re: CVE Request: Juju phpmyadmin charm

[dawg <mlyodawg () gmail com>]

Hello,

The second (replacement) argument passed to preg_replace is empty : it
doesn't use matched input. This can't be exploited.

Examples:

$ php -r 'print(preg_replace("/(.*)/e","","phpinfo();"));'
=> Nothing

$ php -r 'print(preg_replace("/(.*)/e","$1","phpinfo();"));'
=> phpinfo() get executed

Bye

Le 30/01/2014 10:16, Seth Arnold a écrit :
> Hello Kurt, vendors, MITRE,
>
> Please assign a CVE for the following issue:
>
> I discovered a potentially unsafe use of PHP's preg_replace() /e option in
> the Juju charm phpmyadmin:
>
> $xml = simplexml_load_string(preg_replace("/(<\/?)media\:content([^>]*>)/e",
>     '', str_replace('media:hash',
>         'hash',
>       file_get_contents('https://sourceforge.net/api/file/index/project-id/23067/mtime/desc/limit/40/rss&apos;))));
>
> An attacker able to spoof ARP, DNS, or BGP, or control any of the routers
> between the client and sourceforge.net, or control over the sourceforge
> project or sourceforge servers, would be in a position to insert likely
> aribtrary code into the PHP interpreter.
>
> The full source of this file can be found at:
>
> http://bazaar.launchpad.net/~charmers/charms/precise/phpmyadmin/trunk/view/head:/bin/parse_upstream
>
> I have reported the bug to:
>
> https://bugs.launchpad.net/charms/+source/phpmyadmin/+bug/1274264
>
> The problem appears to have been introduced in revision 18. No fix is
> currently available.
>
> Thanks