Date: Wed, 29 Jan 2014 16:08:19 -0800 From: Seth Arnold <seth.arnold@...onical.com> To: oss-security@...ts.openwall.com Subject: Re: CVE Request: Juju phpmyadmin charm On Thu, Jan 30, 2014 at 10:51:48AM +1100, dawg wrote: > Hello, > > The second (replacement) argument passed to preg_replace is empty : it > doesn't use matched input. This can't be exploited. Thanks dawg for finding my mistake. I retract this CVE request. Thanks > Examples: > > $ php -r 'print(preg_replace("/(.*)/e","","phpinfo();"));' > => Nothing > > $ php -r 'print(preg_replace("/(.*)/e","$1","phpinfo();"));' > => phpinfo() get executed > > Bye > > Le 30/01/2014 10:16, Seth Arnold a écrit : > > Hello Kurt, vendors, MITRE, > > > > Please assign a CVE for the following issue: > > > > I discovered a potentially unsafe use of PHP's preg_replace() /e option in > > the Juju charm phpmyadmin: > > > > $xml = simplexml_load_string(preg_replace("/(<\/?)media\:content([^>]*>)/e", > > '', str_replace('media:hash', > > 'hash', > > file_get_contents('https://sourceforge.net/api/file/index/project-id/23067/mtime/desc/limit/40/rss')))); > > > > An attacker able to spoof ARP, DNS, or BGP, or control any of the routers > > between the client and sourceforge.net, or control over the sourceforge > > project or sourceforge servers, would be in a position to insert likely > > aribtrary code into the PHP interpreter. > > > > The full source of this file can be found at: > > > > http://bazaar.launchpad.net/~charmers/charms/precise/phpmyadmin/trunk/view/head:/bin/parse_upstream > > > > I have reported the bug to: > > > > https://bugs.launchpad.net/charms/+source/phpmyadmin/+bug/1274264 > > > > The problem appears to have been introduced in revision 18. No fix is > > currently available. > > > > Thanks > > > [ CONTENT OF TYPE application/pgp-signature SKIPPED ]
Powered by blists - more mailing lists
Please check out the Open Source Software Security Wiki, which is counterpart to this mailing list.
Powered by Openwall GNU/*/Linux - Powered by OpenVZ