• View
• Edit
• History
• Attach
• Print

01271: PHP Code Injection Vulnerability

Description:

Hi,
I found a critical security vulnerability that could allow malicious users to execute arbitrary PHP code.
The vulnerable code is in PageListSort() function defined into /scripts/pagelist.php:

	452.	  $code = '';
	453.	  foreach($opt['=order'] as $o => $r) {
	454.	    if (@$PageListSortCmp[$o]) 
	455.	      $code .= "\$c = {$PageListSortCmp[$o]}; "; 
	456.	    else 
	457.	      $code .= "\$c = @strcasecmp(\$PCache[\$x]['$o'],\$PCache[\$y]['$o']); ";
	458.	    $code .= "if (\$c) return $r\$c;\n";
	459.	  }
	460.	  StopWatch('PageListSort sort');
	461.	  if ($code) 
	462.	    uasort($list,
	463.	           create_function('$x,$y', "global \$PCache; $code return 0;"));
	464.	  StopWatch('PageListSort end');

Input passed through 'order' parameter of 'pagelist' directive isn't properly sanitized before being used in a
call to create_function() at line 463. So an attacker could be able to create a page with a directive such this:

( : pagelist order=']);phpinfo();die;# : )

Successful exploitation of this vulnerability might require authentication if the wiki isn't public writable.

Regards,
EgiX

Thanks for this report, this bug was fixed in Subversion and a new version will be released today. --Petko November 11, 2011, at 07:40 AM