Re: CVE Request: Juju phpmyadmin charm

[Seth Arnold <seth.arnold () canonical com>]

On Thu, Jan 30, 2014 at 10:51:48AM +1100, dawg wrote:
> Hello,
>
> The second (replacement) argument passed to preg_replace is empty : it
> doesn't use matched input. This can't be exploited.

Thanks dawg for finding my mistake.

I retract this CVE request.

Thanks

> Examples:
>
> $ php -r 'print(preg_replace("/(.*)/e","","phpinfo();"));'
> => Nothing
>
> $ php -r 'print(preg_replace("/(.*)/e","$1","phpinfo();"));'
> => phpinfo() get executed
>
> Bye
>
> Le 30/01/2014 10:16, Seth Arnold a écrit :
> > Hello Kurt, vendors, MITRE,
> >
> > Please assign a CVE for the following issue:
> >
> > I discovered a potentially unsafe use of PHP's preg_replace() /e option in
> > the Juju charm phpmyadmin:
> >
> > $xml = simplexml_load_string(preg_replace("/(<\/?)media\:content([^>]*>)/e",
> >     '', str_replace('media:hash',
> >         'hash',
> >     file_get_contents('https://sourceforge.net/api/file/index/project-id/23067/mtime/desc/limit/40/rss&apos;))));
> >
> > An attacker able to spoof ARP, DNS, or BGP, or control any of the routers
> > between the client and sourceforge.net, or control over the sourceforge
> > project or sourceforge servers, would be in a position to insert likely
> > aribtrary code into the PHP interpreter.
> >
> > The full source of this file can be found at:
> >
> > http://bazaar.launchpad.net/~charmers/charms/precise/phpmyadmin/trunk/view/head:/bin/parse_upstream
> >
> > I have reported the bug to:
> >
> > https://bugs.launchpad.net/charms/+source/phpmyadmin/+bug/1274264
> >
> > The problem appears to have been introduced in revision 18. No fix is
> > currently available.
> >
> > Thanks

Attachment: signature.asc
Description: Digital signature