Follow @Openwall on Twitter for new release announcements and other news
[<prev] [next>] [<thread-prev] [thread-next>] [day] [month] [year] [list] 
Date: Sun, 15 Jan 2012 18:08:15 +0100
From: Nicolas Grégoire <nicolas.gregoire@...rri.fr>
To: oss-security@...ts.openwall.com
Subject: Re: CVE affected for PHP 5.3.9 ?


> Can you provide a reproducer (vuln script and a malicious input) that
> shows this in action (e.g. creates a local php file).

Please find attached the "php539-xslt.php" script.

This script displays by default a pre-filled HTML form including some
XML data and XSLT code. When the form is submitted, the user-controlled
XML data is transformed using the user-controlled XSLT code. Then, the
output of this transformation is displayed in the browser.

When executed, the pre-filled XSLT code will write
to /var/www/xxx/backdoor.php this content :

<html><body>
<h1><font color="red">I'm a (very) malicious PHP file !!!</font></h1>
<?php phpinfo()?>
</body></html>

Note : the payload is encrypted with RC4. A static key ("simple_demo")
embedded in the XSLT code is used to decrypt it.

Regards,
Nicolas



Download attachment "php539-xslt.php" of type "application/x-php" (2038 bytes)

Powered by blists - more mailing lists

Please check out the Open Source Software Security Wiki, which is counterpart to this mailing list.

Confused about mailing lists and their use? Read about mailing lists on Wikipedia and check out these guidelines on proper formatting of your messages.