lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [day] [month] [year] [list]
Date: Mon, 15 Aug 2016 06:59:36 -0500
From: crashenator@...il.com
To: fulldisclosure@...lists.org
Subject: [FD] php-gettext php code execution in select_string, ngettext,
 npgettext count parameter <1.0.12

CERT ID - VU#520504 (pending since 2015)
Product - php-gettext
Company - Danilo Segan
Name - php-gettext php code execution
Versions - <1.0.12
Patched - 11/11/2015
Ref: https://launchpad.net/php-gettext/trunk/1.0.12
Vulnerability - "code injection into the ngettext family of calls: 
evaluating the plural form formula can execute arbitrary code if number 
is passed unsanitized from the untrusted user."
Description -
In 1.0.11 and lower the select_string function appears as the following:

   /**
    * Detects which plural form to take
    *
    * @access private
    * @param n count
    * @return int array index of the right plural form
    */
   function select_string($n) {
     $string = $this->get_plural_forms();
     $string = str_replace('nplurals',"\$total",$string);
     $string = str_replace("n",$n,$string);
     $string = str_replace('plural',"\$plural",$string);
     $total = 0;
     $plural = 0;
     eval("$string");
     if ($plural >= $total) $plural = $total - 1;
     return $plural;
   }

The vulnerability here lies in the fact that $string is evaluated as PHP 
code.  If the plural form contains an 'n', and the $n parameter is 
exposed to a malicious user, PHP code can be added to the value of 
$string before it is evaluated.  For websites, this means that a 
vulnerable application could allow an attacker to run PHP code on your 
site and potentially gain control of it.

The $n parameter in select_string can also be exposed through ngettext 
and npgettext as the $number parameter.

The new release 1.0.12 was made available shortly after notification in 
2015 and resolves the issue by raising an exception during non-numeric 
input to these parameters.

_______________________________________________
Sent through the Full Disclosure mailing list
https://nmap.org/mailman/listinfo/fulldisclosure
Web Archives & RSS: http://seclists.org/fulldisclosure/

Powered by blists - more mailing lists