lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [day] [month] [year] [list] 
Date: Tue, 3 Nov 2015 15:05:13 -0200
From: Dawid Golunski <dawid@...alhackers.com>
To: fulldisclosure@...lists.org
Subject: Re: [FD] eBay Magento <= 1.9.2.1 XML eXternal Entity Injection
 (XXE) on PHP FPM

Hi,

There are some news sites that confuse this Magento/Zend Framework
vulnerability with an old SOAP parser xxe vulnerability of CVE-2013-1643
in the PHP core which was fixed in PHP 5.4.13 in 2013.
The incorrect news may give false sense of security to users with
newer PHP versions when in fact, their Magento installation may be
affected.

I wanted to clarify that the Magento/Zend Framework vulnerability I reported
does not depend on this old PHP core vulnerability  in soap parser and that
 it can also be exploited on new versions of PHP.
The Magento/Zend Framework stems from a separate vulnerability found
in the Zend Framework which I described recently at:

http://legalhackers.com/advisories/zend-framework-XXE-vuln.txt

and which was assigned the CVE-ID of CVE-2015-5161 :
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-5161

What affects the XXE vulnerability in Magento/Zend Framework however
is entity expansion performed by the libxml2 system library.
There are several libxml2 issues that allow entity auto-expansion
(more details in advisory).

I have updated my advisory to stress that the vulnerability does not rely on
PHP version and does not depend on the old soap parser bug in PHP core.
I also updated the POC exploit code to take advantage of newer libxml2 parameter
entity issues (e.g CVE-2014-0191), so that the exploit also works on
newer libxml2 versions, which can help to test newer systems.

More details can be found in the updated advisory under the same link:

http://legalhackers.com/advisories/eBay-Magento-XXE-Injection-Vulnerability.txt

The Magento/Zend Framework exploit provided was successfully tested on
a new PHP version of 5.6.14, released a month ago.


Regards,
Dawid Golunski

http://legalhackers.com

_______________________________________________
Sent through the Full Disclosure mailing list
https://nmap.org/mailman/listinfo/fulldisclosure
Web Archives & RSS: http://seclists.org/fulldisclosure/

Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ