Home page logo
/

oss-sec logo oss-sec mailing list archives

Re: CVE affected for PHP 5.3.9 ?
From: Kurt Seifried <kseifried () redhat com>
Date: Sat, 14 Jan 2012 19:44:07 -0700

On 01/14/2012 05:15 PM, Nicolas Grégoire wrote:
Right but the script has to have the line
<sax:output href="0wn3d.php" method="text">
Wrong.

The PHP code only has to call transformToXML() after having loaded the
malicious XSLT code via importStylesheet(). The XML data itself is
irrelevant for this bug and the "sax:output" tag isn't in the PHP script
but in the XSLT stylesheet provided by the attacker.

# LOAD XML FILE 
$XML = new DOMDocument(); 
$XML->loadXML( $sXml ); 

# LOAD XSLT FILE 
$XSL = new DOMDocument(); 
$XSL->loadXML( $sXsl ); // Content of $xXsl may be untrusted !

# START XSLT 
$xslt = new XSLTProcessor(); 
$xslt->importStylesheet( $XSL );

# TRASNFORM & PRINT 
print $xslt->transformToXML( $XML ); // File creation !

Nicolas

So the attacker can control the output file name/location via a
malformed input from the attacker only? This would have been good to
have in your original info (we could have avoided this back and forth).
Can you provide a reproducer (vuln script and a malicious input) that
shows this in action (e.g. creates a local php file).

-- 

-- Kurt Seifried / Red Hat Security Response Team


  By Date           By Thread  

Current thread:
[ Nmap | Sec Tools | Mailing Lists | Site News | About/Contact | Advertising | Privacy ]