lists.openwall.net | lists / announce owl-users owl-dev john-users john-dev passwdqc-users yescrypt popa3d-users / oss-security kernel-hardening musl sabotage tlsify passwords / crypt-dev xvendor / Bugtraq Full-Disclosure linux-kernel linux-netdev linux-ext4 linux-hardening linux-cve-announce PHC | |
Open Source and information security mailing list archives
| ||
|
Date: Mon, 15 Aug 2016 06:59:36 -0500 From: crashenator@...il.com To: fulldisclosure@...lists.org Subject: [FD] php-gettext php code execution in select_string, ngettext, npgettext count parameter <1.0.12 CERT ID - VU#520504 (pending since 2015) Product - php-gettext Company - Danilo Segan Name - php-gettext php code execution Versions - <1.0.12 Patched - 11/11/2015 Ref: https://launchpad.net/php-gettext/trunk/1.0.12 Vulnerability - "code injection into the ngettext family of calls: evaluating the plural form formula can execute arbitrary code if number is passed unsanitized from the untrusted user." Description - In 1.0.11 and lower the select_string function appears as the following: /** * Detects which plural form to take * * @access private * @param n count * @return int array index of the right plural form */ function select_string($n) { $string = $this->get_plural_forms(); $string = str_replace('nplurals',"\$total",$string); $string = str_replace("n",$n,$string); $string = str_replace('plural',"\$plural",$string); $total = 0; $plural = 0; eval("$string"); if ($plural >= $total) $plural = $total - 1; return $plural; } The vulnerability here lies in the fact that $string is evaluated as PHP code. If the plural form contains an 'n', and the $n parameter is exposed to a malicious user, PHP code can be added to the value of $string before it is evaluated. For websites, this means that a vulnerable application could allow an attacker to run PHP code on your site and potentially gain control of it. The $n parameter in select_string can also be exposed through ngettext and npgettext as the $number parameter. The new release 1.0.12 was made available shortly after notification in 2015 and resolves the issue by raising an exception during non-numeric input to these parameters. _______________________________________________ Sent through the Full Disclosure mailing list https://nmap.org/mailman/listinfo/fulldisclosure Web Archives & RSS: http://seclists.org/fulldisclosure/
Powered by blists - more mailing lists