Home page logo
/

oss-sec logo oss-sec mailing list archives

Re: CVE affected for PHP 5.3.9 ?
From: Kurt Seifried <kseifried () redhat com>
Date: Tue, 17 Jan 2012 20:20:04 -0700

On 01/15/2012 10:08 AM, Nicolas Grégoire wrote:
Can you provide a reproducer (vuln script and a malicious input) that
shows this in action (e.g. creates a local php file).
Please find attached the "php539-xslt.php" script.

This script displays by default a pre-filled HTML form including some
XML data and XSLT code. When the form is submitted, the user-controlled
XML data is transformed using the user-controlled XSLT code. Then, the
output of this transformation is displayed in the browser.

When executed, the pre-filled XSLT code will write
to /var/www/xxx/backdoor.php this content :

<html><body>
<h1><font color="red">I'm a (very) malicious PHP file !!!</font></h1>
<?php phpinfo()?>
</body></html>

Note : the payload is encrypted with RC4. A static key ("simple_demo")
embedded in the XSLT code is used to decrypt it.

Regards,
Nicolas


Apologies for the delay, this is definitely an issue. Please use
CVE-2012-0057 for this issue.

-- 

-- Kurt Seifried / Red Hat Security Response Team


  By Date           By Thread  

Current thread:
[ Nmap | Sec Tools | Mailing Lists | Site News | About/Contact | Advertising | Privacy ]
AlienVault