Nicolas Grégoire nicolas.gregoire Please find attached the "php539-xslt.php" script. This script displays by default a pre-filled HTML form including some XML data and XSLT code. When the form is submitted, the user-controlled XML data is transformed using the user-controlled XSLT code. Then, the output of this transformation is displayed in the browser. When executed, the pre-filled XSLT code will write to /var/www/xxx/backdoor.php this content : <html><body> <h1><font color="red">I'm a (very) malicious PHP file !!!</font></h1> <?php phpinfo()?> </body></html> Note : the payload is encrypted with RC4. A static key ("simple_demo") embedded in the XSLT code is used to decrypt it. Regards, Nicolas Original thread: http://seclists.org/oss-sec/2012/q1/138 This message: http://seclists.org/oss-sec/2012/q1/157
Upstream bug report: https://bugs.php.net/bug.php?id=54446 Upstream commits: http://svn.php.net/viewvc/?view=revision&revision=313160 http://svn.php.net/viewvc/?view=revision&revision=316530 http://svn.php.net/viewvc/?view=revision&revision=317759 http://svn.php.net/viewvc/?view=revision&revision=317801 There's a difference in between 5.4 and 5.3 fixes. Both disable writing by default, however, there are different ways to control that default. 5.4 fix introduces XsltProcessor::setSecurityPrefs($options) and getSecurityPrefs(), while 5.3 fix adds new xsl.security_prefs ini option. OSS-Security list discussion: http://thread.gmane.org/gmane.comp.security.oss.general/6672
This was fixed upstream in 5.3.9: http://www.php.net/ChangeLog-5.php#5.3.9
This issue has been addressed in the following security advisories for Fedora 15 and Fedora 16: Fedora-15: https://admin.fedoraproject.org/updates/FEDORA-2012-0420/php-5.3.9-1.fc15 Fedora-16: https://admin.fedoraproject.org/updates/FEDORA-2012-0504/php-5.3.9-1.fc16
This issue affects the version of php as shipped with Red Hat Enterprise Linux 4, 5 and 6. This issue affects the version of php53 as shipped with Red Hat Enterprise Linux 5.
Will there be any updates to php53 (RHEL 5) to address this problem? Thanks
This issue has been addressed in following products: Red Hat Enterprise Linux 5 Via RHSA-2012:1047 https://rhn.redhat.com/errata/RHSA-2012-1047.html
This issue has been addressed in following products: Red Hat Enterprise Linux 6 Via RHSA-2012:1046 https://rhn.redhat.com/errata/RHSA-2012-1046.html
This issue has been addressed in following products: Red Hat Enterprise Linux 5 Via RHSA-2012:1045 https://rhn.redhat.com/errata/RHSA-2012-1045.html