Openwall GNU/*/Linux - a small security-enhanced Linux distro for servers
[<prev] [next>] [<thread-prev] [day] [month] [year] [list]
Date: Wed, 29 Jan 2014 16:08:19 -0800
From: Seth Arnold <seth.arnold@...onical.com>
To: oss-security@...ts.openwall.com
Subject: Re: CVE Request: Juju phpmyadmin charm

On Thu, Jan 30, 2014 at 10:51:48AM +1100, dawg wrote:
> Hello,
> 
> The second (replacement) argument passed to preg_replace is empty : it
> doesn't use matched input. This can't be exploited.

Thanks dawg for finding my mistake.

I retract this CVE request.

Thanks

> Examples:
> 
> $ php -r 'print(preg_replace("/(.*)/e","","phpinfo();"));'
> => Nothing
> 
> $ php -r 'print(preg_replace("/(.*)/e","$1","phpinfo();"));'
> => phpinfo() get executed
> 
> Bye
> 
> Le 30/01/2014 10:16, Seth Arnold a écrit :
> > Hello Kurt, vendors, MITRE,
> > 
> > Please assign a CVE for the following issue:
> > 
> > I discovered a potentially unsafe use of PHP's preg_replace() /e option in
> > the Juju charm phpmyadmin:
> > 
> > $xml = simplexml_load_string(preg_replace("/(<\/?)media\:content([^>]*>)/e",
> >     '', str_replace('media:hash',
> >         'hash',
> > 	file_get_contents('https://sourceforge.net/api/file/index/project-id/23067/mtime/desc/limit/40/rss'))));
> > 
> > An attacker able to spoof ARP, DNS, or BGP, or control any of the routers
> > between the client and sourceforge.net, or control over the sourceforge
> > project or sourceforge servers, would be in a position to insert likely
> > aribtrary code into the PHP interpreter.
> > 
> > The full source of this file can be found at:
> > 
> > http://bazaar.launchpad.net/~charmers/charms/precise/phpmyadmin/trunk/view/head:/bin/parse_upstream
> > 
> > I have reported the bug to:
> > 
> > https://bugs.launchpad.net/charms/+source/phpmyadmin/+bug/1274264
> > 
> > The problem appears to have been introduced in revision 18. No fix is
> > currently available.
> > 
> > Thanks
> > 
> 

Download attachment "signature.asc" of type "application/pgp-signature" (491 bytes)

Powered by blists - more mailing lists

Your e-mail address:

Please check out the Open Source Software Security Wiki, which is counterpart to this mailing list.

Powered by Openwall GNU/*/Linux - Powered by OpenVZ