Bug 782657 (CVE-2012-0057)
| Summary: | CVE-2012-0057 php: XSLT file writing vulnerability | ||
|---|---|---|---|
| Product: | [Other] Security Response | Reporter: | Kurt Seifried <kseifried> |
| Component: | vulnerability | Assignee: | Red Hat Product Security <security-response-team> |
| Status: | CLOSED ERRATA | QA Contact: | |
| Severity: | medium | Docs Contact: | |
| Priority: | medium | ||
| Version: | unspecified | CC: | fedora, jorton, kowalczykb, ltx985122, mjc, rpm |
| Target Milestone: | --- | Keywords: | Security |
| Target Release: | --- | ||
| Hardware: | All | ||
| OS: | Linux | ||
| Whiteboard: | |||
| Fixed In Version: | php 5.3.9 | Doc Type: | Bug Fix |
| Doc Text: | Story Points: | --- | |
| Clone Of: | Environment: | ||
| Last Closed: | 2012-06-27 17:19:25 UTC | Type: | --- |
| Regression: | --- | Mount Type: | --- |
| Documentation: | --- | CRM: | |
| Verified Versions: | Category: | --- | |
| oVirt Team: | --- | RHEL 7.3 requirements from Atomic Host: | |
| Cloudforms Team: | --- | Target Upstream Version: | |
| Embargoed: | |||
| Bug Depends On: | 819855, 819856, 830727, 830728, 830729, 830730 | ||
| Bug Blocks: | 782956, 835958, 835959, 835960 | ||
Upstream bug report: https://bugs.php.net/bug.php?id=54446 Upstream commits: http://svn.php.net/viewvc/?view=revision&revision=313160 http://svn.php.net/viewvc/?view=revision&revision=316530 http://svn.php.net/viewvc/?view=revision&revision=317759 http://svn.php.net/viewvc/?view=revision&revision=317801 There's a difference in between 5.4 and 5.3 fixes. Both disable writing by default, however, there are different ways to control that default. 5.4 fix introduces XsltProcessor::setSecurityPrefs($options) and getSecurityPrefs(), while 5.3 fix adds new xsl.security_prefs ini option. OSS-Security list discussion: http://thread.gmane.org/gmane.comp.security.oss.general/6672 This was fixed upstream in 5.3.9: http://www.php.net/ChangeLog-5.php#5.3.9 This issue has been addressed in the following security advisories for Fedora 15 and Fedora 16: Fedora-15: https://admin.fedoraproject.org/updates/FEDORA-2012-0420/php-5.3.9-1.fc15 Fedora-16: https://admin.fedoraproject.org/updates/FEDORA-2012-0504/php-5.3.9-1.fc16 This issue affects the version of php as shipped with Red Hat Enterprise Linux 4, 5 and 6. This issue affects the version of php53 as shipped with Red Hat Enterprise Linux 5. Will there be any updates to php53 (RHEL 5) to address this problem? Thanks This issue has been addressed in following products: Red Hat Enterprise Linux 5 Via RHSA-2012:1047 https://rhn.redhat.com/errata/RHSA-2012-1047.html This issue has been addressed in following products: Red Hat Enterprise Linux 6 Via RHSA-2012:1046 https://rhn.redhat.com/errata/RHSA-2012-1046.html This issue has been addressed in following products: Red Hat Enterprise Linux 5 Via RHSA-2012:1045 https://rhn.redhat.com/errata/RHSA-2012-1045.html |
Nicolas Grégoire nicolas.gregoire Please find attached the "php539-xslt.php" script. This script displays by default a pre-filled HTML form including some XML data and XSLT code. When the form is submitted, the user-controlled XML data is transformed using the user-controlled XSLT code. Then, the output of this transformation is displayed in the browser. When executed, the pre-filled XSLT code will write to /var/www/xxx/backdoor.php this content : <html><body> <h1><font color="red">I'm a (very) malicious PHP file !!!</font></h1> <?php phpinfo()?> </body></html> Note : the payload is encrypted with RC4. A static key ("simple_demo") embedded in the XSLT code is used to decrypt it. Regards, Nicolas Original thread: http://seclists.org/oss-sec/2012/q1/138 This message: http://seclists.org/oss-sec/2012/q1/157