Changes for page Application_PHP5

Last modified by Nicolas Gregoire on 2012/02/02 17:29
From version Icon 13.1 Icon
edited by Nicolas Gregoire
on 2012/01/14 18:51
Change comment: There is no comment for this version
To version Icon 14.1 Icon
edited by Nicolas Gregoire
on 2012/01/16 11:33
Change comment: There is no comment for this version

Summary

Details

Icon Page properties
Content
... ... @@ -8,8 +8,22 @@
8 8  
9 9  Version 5 of the PHP language uses the [[libxslt>>Engine_libxslt]] engine to transform XML documents using XSLT. Prior to version 5.3.9, calls to libxslt were not restricted via xsltSetSecurityPrefs(). It was then possible to create or overwrite files on the engine side, typically for dropping a PHP Web Shell. This vulnerability ([[Bug #54446>>https://bugs.php.net/bug.php?id=54446||rel="__blank"]]) was patched in version 5.3.9 ([[ChangeLog>>http://php.net/ChangeLog-5.php#5.3.9||rel="__blank"]]).
10 10  
11 -The attached [[create-file-via-libxslt.php>>attach:create-file-via-libxslt.php]] PoC will drop a basic PHP script in /tmp/.
11 +The attached [[create-file-via-libxslt.php>>attach:create-file-via-libxslt.php]] PoC will drop a basic PHP script in /tmp/.
12 12  
13 +A better script was later posted on [[OSS-Security>>http://seclists.org/oss-sec/2012/q1/157]] at RedHat request. This PHP scipt will by default display a pre-filled HTML form including some XML data and XSLT code. When the form is submitted, the user-controlled
14 +XML data is transformed using the user-controlled XSLT code. Then, the output of this transformation is displayed in the browser.
15 +
16 +When executed, the pre-filled XSLT code will write to /var/www/xxx/backdoor.php this content :
17 +
18 +##
19 +<html><body>
20 +<h1><font color="red">I'm a (very) malicious PHP file !!!</font></h1>
21 +<?php phpinfo()?>
22 +</body></html>
23 +##
24 +
25 +Note : the payload is encrypted with RC4. A static key ("simple_demo") embedded in the XSLT code is used to decrypt it.
26 +
13 13  = Executing PHP code =
14 14  
15 15  A call to [[registerPHPFunctions()>>http://php.net/manual/en/xsltprocessor.registerphpfunctions.php]] allows to execute standard PHP functions directly from the XSLT stylesheet. I never came across this pattern in real-life engagements but Google Code search references [[several>>http://www.google.com/codesearch#search/&q=registerPHPFunctions%20lang:%5Ephp$&type=cs||rel="__blank"]] instances of it (dork: "registerPHPFunctions lang:^php$"). This isn't a bug and will not be patched.