Home page logo
/

oss-sec logo oss-sec mailing list archives

Re: CVE Request: Juju phpmyadmin charm
From: dawg <mlyodawg () gmail com>
Date: Thu, 30 Jan 2014 10:51:48 +1100

Hello,

The second (replacement) argument passed to preg_replace is empty : it
doesn't use matched input. This can't be exploited.

Examples:

$ php -r 'print(preg_replace("/(.*)/e","","phpinfo();"));'
=> Nothing

$ php -r 'print(preg_replace("/(.*)/e","$1","phpinfo();"));'
=> phpinfo() get executed

Bye

Le 30/01/2014 10:16, Seth Arnold a écrit :
Hello Kurt, vendors, MITRE,

Please assign a CVE for the following issue:

I discovered a potentially unsafe use of PHP's preg_replace() /e option in
the Juju charm phpmyadmin:

$xml = simplexml_load_string(preg_replace("/(<\/?)media\:content([^>]*>)/e",
    '', str_replace('media:hash',
        'hash',
      file_get_contents('https://sourceforge.net/api/file/index/project-id/23067/mtime/desc/limit/40/rss&apos;))));

An attacker able to spoof ARP, DNS, or BGP, or control any of the routers
between the client and sourceforge.net, or control over the sourceforge
project or sourceforge servers, would be in a position to insert likely
aribtrary code into the PHP interpreter.

The full source of this file can be found at:

http://bazaar.launchpad.net/~charmers/charms/precise/phpmyadmin/trunk/view/head:/bin/parse_upstream

I have reported the bug to:

https://bugs.launchpad.net/charms/+source/phpmyadmin/+bug/1274264

The problem appears to have been introduced in revision 18. No fix is
currently available.

Thanks



  By Date           By Thread  

Current thread:
[ Nmap | Sec Tools | Mailing Lists | Site News | About/Contact | Advertising | Privacy ]