Date: Sun, 15 Jan 2012 18:08:15 +0100 From: Nicolas Grégoire <nicolas.gregoire@...rri.fr> To: oss-security@...ts.openwall.com Subject: Re: CVE affected for PHP 5.3.9 ? > Can you provide a reproducer (vuln script and a malicious input) that > shows this in action (e.g. creates a local php file). Please find attached the "php539-xslt.php" script. This script displays by default a pre-filled HTML form including some XML data and XSLT code. When the form is submitted, the user-controlled XML data is transformed using the user-controlled XSLT code. Then, the output of this transformation is displayed in the browser. When executed, the pre-filled XSLT code will write to /var/www/xxx/backdoor.php this content : <html><body> <h1><font color="red">I'm a (very) malicious PHP file !!!</font></h1> <?php phpinfo()?> </body></html> Note : the payload is encrypted with RC4. A static key ("simple_demo") embedded in the XSLT code is used to decrypt it. Regards, Nicolas Download attachment "php539-xslt.php" of type "application/x-php" (2038 bytes)
Powered by blists - more mailing lists
Please check out the Open Source Software Security Wiki, which is counterpart to this mailing list.
Confused about mailing lists and their use? Read about mailing lists on Wikipedia and check out these guidelines on proper formatting of your messages.