Follow @Openwall on Twitter for new release announcements and other news
[<prev] [next>] [<thread-prev] [day] [month] [year] [list]
Date: Wed, 29 Jan 2014 16:08:19 -0800
From: Seth Arnold <seth.arnold@...onical.com>
To: oss-security@...ts.openwall.com
Subject: Re: CVE Request: Juju phpmyadmin charm

On Thu, Jan 30, 2014 at 10:51:48AM +1100, dawg wrote:
> Hello,
> 
> The second (replacement) argument passed to preg_replace is empty : it
> doesn't use matched input. This can't be exploited.

Thanks dawg for finding my mistake.

I retract this CVE request.

Thanks

> Examples:
> 
> $ php -r 'print(preg_replace("/(.*)/e","","phpinfo();"));'
> => Nothing
> 
> $ php -r 'print(preg_replace("/(.*)/e","$1","phpinfo();"));'
> => phpinfo() get executed
> 
> Bye
> 
> Le 30/01/2014 10:16, Seth Arnold a écrit :
> > Hello Kurt, vendors, MITRE,
> > 
> > Please assign a CVE for the following issue:
> > 
> > I discovered a potentially unsafe use of PHP's preg_replace() /e option in
> > the Juju charm phpmyadmin:
> > 
> > $xml = simplexml_load_string(preg_replace("/(<\/?)media\:content([^>]*>)/e",
> >     '', str_replace('media:hash',
> >         'hash',
> > 	file_get_contents('https://sourceforge.net/api/file/index/project-id/23067/mtime/desc/limit/40/rss'))));
> > 
> > An attacker able to spoof ARP, DNS, or BGP, or control any of the routers
> > between the client and sourceforge.net, or control over the sourceforge
> > project or sourceforge servers, would be in a position to insert likely
> > aribtrary code into the PHP interpreter.
> > 
> > The full source of this file can be found at:
> > 
> > http://bazaar.launchpad.net/~charmers/charms/precise/phpmyadmin/trunk/view/head:/bin/parse_upstream
> > 
> > I have reported the bug to:
> > 
> > https://bugs.launchpad.net/charms/+source/phpmyadmin/+bug/1274264
> > 
> > The problem appears to have been introduced in revision 18. No fix is
> > currently available.
> > 
> > Thanks
> > 
> 

Download attachment "signature.asc" of type "application/pgp-signature" (491 bytes)

Powered by blists - more mailing lists

Please check out the Open Source Software Security Wiki, which is counterpart to this mailing list.

Confused about mailing lists and their use? Read about mailing lists on Wikipedia and check out these guidelines on proper formatting of your messages.