oss-sec mailing list archives
Re: CVE affected for PHP 5.3.9 ?
From: Nicolas Grégoire <nicolas.gregoire () agarri fr>
Date: Sun, 15 Jan 2012 18:08:15 +0100
Can you provide a reproducer (vuln script and a malicious input) that shows this in action (e.g. creates a local php file).
Please find attached the "php539-xslt.php" script.
This script displays by default a pre-filled HTML form including some
XML data and XSLT code. When the form is submitted, the user-controlled
XML data is transformed using the user-controlled XSLT code. Then, the
output of this transformation is displayed in the browser.
When executed, the pre-filled XSLT code will write
to /var/www/xxx/backdoor.php this content :
<html><body>
<h1><font color="red">I'm a (very) malicious PHP file !!!</font></h1>
<?php phpinfo()?>
</body></html>
Note : the payload is encrypted with RC4. A static key ("simple_demo")
embedded in the XSLT code is used to decrypt it.
Regards,
Nicolas
Attachment:
php539-xslt.php
Description:
Current thread:
- CVE affected for PHP 5.3.9 ? Nicolas Grégoire (Jan 13)
- Re: CVE affected for PHP 5.3.9 ? Kurt Seifried (Jan 13)
- Re: CVE affected for PHP 5.3.9 ? Nicolas Grégoire (Jan 13)
- Re: CVE affected for PHP 5.3.9 ? Kurt Seifried (Jan 13)
- Re: CVE affected for PHP 5.3.9 ? Nicolas Grégoire (Jan 13)
- Re: CVE affected for PHP 5.3.9 ? Kurt Seifried (Jan 13)
- Re: CVE affected for PHP 5.3.9 ? Ignacio Espinosa (Jan 14)
- Re: CVE affected for PHP 5.3.9 ? Kurt Seifried (Jan 14)
- Re: CVE affected for PHP 5.3.9 ? Nicolas Grégoire (Jan 14)
- Re: CVE affected for PHP 5.3.9 ? Kurt Seifried (Jan 14)
- Re: CVE affected for PHP 5.3.9 ? Nicolas Grégoire (Jan 15)
- Re: CVE affected for PHP 5.3.9 ? Kurt Seifried (Jan 17)
- Re: CVE affected for PHP 5.3.9 ? Nicolas Grégoire (Jan 13)
- Re: CVE affected for PHP 5.3.9 ? Kurt Seifried (Jan 13)