Nicolas Grégoire nicolas.gregoire@agarri.fr Please find attached the "php539-xslt.php" script. This script displays by default a pre-filled HTML form including some XML data and XSLT code. When the form is submitted, the user-controlled XML data is transformed using the user-controlled XSLT code. Then, the output of this transformation is displayed in the browser. When executed, the pre-filled XSLT code will write to /var/www/xxx/backdoor.php this content : <html><body> <h1><font color="red">I'm a (very) malicious PHP file !!!</font></h1> <?php phpinfo()?> </body></html> Note : the payload is encrypted with RC4. A static key ("simple_demo") embedded in the XSLT code is used to decrypt it. Regards, Nicolas Reproducible: Always
@security, is already fixed in 5.3.9, please choise if it can goes into existing glsa
Added to existing GLSA.
CVE-2012-0057 (http://nvd.nist.gov/nvd.cfm?cvename=CVE-2012-0057): PHP before 5.3.9 has improper libxslt security settings, which allows remote attackers to create arbitrary files via a crafted XSLT stylesheet that uses the libxslt output extension.
This issue was resolved and addressed in GLSA 201209-03 at http://security.gentoo.org/glsa/glsa-201209-03.xml by GLSA coordinator Sean Amoss (ackle).