[prev in list] [next in list] [prev in thread] [next in thread]
List: oss-security
Subject: Re: [oss-security] CVE Request: Juju phpmyadmin charm
From: Seth Arnold <seth.arnold () canonical ! com>
Date: 2014-01-30 0:08:19
Message-ID: 20140130000819.GA374 () hunt
[Download RAW message or body]
On Thu, Jan 30, 2014 at 10:51:48AM +1100, dawg wrote:
> Hello,
>
> The second (replacement) argument passed to preg_replace is empty : it
> doesn't use matched input. This can't be exploited.
Thanks dawg for finding my mistake.
I retract this CVE request.
Thanks
> Examples:
>
> $ php -r 'print(preg_replace("/(.*)/e","","phpinfo();"));'
> => Nothing
>
> $ php -r 'print(preg_replace("/(.*)/e","$1","phpinfo();"));'
> => phpinfo() get executed
>
> Bye
>
> Le 30/01/2014 10:16, Seth Arnold a écrit :
> > Hello Kurt, vendors, MITRE,
> >
> > Please assign a CVE for the following issue:
> >
> > I discovered a potentially unsafe use of PHP's preg_replace() /e option in
> > the Juju charm phpmyadmin:
> >
> > $xml = simplexml_load_string(preg_replace("/(<\/?)media\:content([^>]*>)/e",
> > '', str_replace('media:hash',
> > 'hash',
> > file_get_contents('https://sourceforge.net/api/file/index/project-id/23067/mtime/desc/limit/40/rss'))));
> >
> > An attacker able to spoof ARP, DNS, or BGP, or control any of the routers
> > between the client and sourceforge.net, or control over the sourceforge
> > project or sourceforge servers, would be in a position to insert likely
> > aribtrary code into the PHP interpreter.
> >
> > The full source of this file can be found at:
> >
> > http://bazaar.launchpad.net/~charmers/charms/precise/phpmyadmin/trunk/view/head:/bin/parse_upstream
> >
> > I have reported the bug to:
> >
> > https://bugs.launchpad.net/charms/+source/phpmyadmin/+bug/1274264
> >
> > The problem appears to have been introduced in revision 18. No fix is
> > currently available.
> >
> > Thanks
> >
>
["signature.asc" (application/pgp-signature)]
[prev in list] [next in list] [prev in thread] [next in thread]
Configure |
About |
News |
Add a list |
Sponsored by KoreLogic