Changes for page Application_PHP5

Last modified by Nicolas Gregoire on 2012/02/02 17:29

From version Icon 17.1 Icon
edited by Nicolas Gregoire
on 2012/01/16 11:39
Change comment: There is no comment for this version
To version Icon 20.1
edited by Nicolas Gregoire
on 2012/02/02 17:29
Change comment: There is no comment for this version

Summary

Details

Icon Page properties
Content
... ... @@ -6,7 +6,7 @@
6 6  
7 7  = Creating files =
8 8  
9 -Version 5 of the PHP language uses the [[libxslt>>Engine_libxslt]] engine to transform XML documents using XSLT. Prior to version 5.3.9, calls to libxslt were not restricted via xsltSetSecurityPrefs(). It was then possible to create or overwrite files on the engine side, typically for dropping a PHP Web Shell. This vulnerability ([[Bug #54446>>https://bugs.php.net/bug.php?id=54446||rel="__blank"]]) was patched in version 5.3.9 ([[ChangeLog>>http://php.net/ChangeLog-5.php#5.3.9||rel="__blank"]]).
9 +Version 5 of the PHP language uses the [[libxslt>>Engine_libxslt]] engine to transform XML documents using XSLT. Prior to version 5.3.9, calls to libxslt were not restricted via xsltSetSecurityPrefs(). It was then possible to create or overwrite files on the engine side, typically for dropping a PHP Web Shell. This vulnerability ([[Bug #54446>>https://bugs.php.net/bug.php?id=54446||rel="__blank"]] / [[CVE-2012-0057>>http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2012-0057||rel="__blank" title="CVE-2012-0057"]]) was patched in version 5.3.9 ([[ChangeLog>>http://php.net/ChangeLog-5.php#5.3.9||rel="__blank"]]).
10 10  
11 11  == Simple PoC ==
12 12  
... ... @@ -25,3 +25,17 @@
25 25  | http:~/~/php.net/xsl| Any PHP function|[[execute-code-via-libxslt.php>>attach:execute-code-via-libxslt.php]]| A call to registerPHPFunctions() is needed
26 26  
27 27  The attached [[execute-code-via-libxslt.php>>attach:execute-code-via-libxslt.php]] PoC will use the passthru() PHP function to execute "uname -a".
28 +
29 += Reading binary files via PHP filters =
30 +
31 +{{warning}}
32 +Untested : could we read binary files too ?
33 +{{/warning}}
34 +
35 +<!DOCTYPE scan [<!ENTITY test SYSTEM "php://filter/read=convert.base64-encode/resource=/etc/passwd">]>
36 +<scan>&test;</scan>
37 +Source : http://www.idontplaydarts.com/2011/02/scanning-the-internal-network-using-simplexml/
38 +
39 += Anti XEE =
40 +
41 +http://www.php.net/manual/en/function.libxml-disable-entity-loader.php