Hi, There are some news sites that confuse this Magento/Zend Framework vulnerability with an old SOAP parser xxe vulnerability of CVE-2013-1643 in the PHP core which was fixed in PHP 5.4.13 in 2013. The incorrect news may give false sense of security to users with newer PHP versions when in fact, their Magento installation may be affected. I wanted to clarify that the Magento/Zend Framework vulnerability I reported does not depend on this old PHP core vulnerability in soap parser and that it can also be exploited on new versions of PHP. The Magento/Zend Framework stems from a separate vulnerability found in the Zend Framework which I described recently at: http://ift.tt/1TuTtf4 and which was assigned the CVE-ID of CVE-2015-5161 : http://ift.tt/1IUs697 What affects the XXE vulnerability in Magento/Zend Framework however is entity expansion performed by the libxml2 system library. There are several libxml2 issues that allow entity auto-expansion (more details in advisory). I have updated my advisory to stress that the vulnerability does not rely on PHP version and does not depend on the old soap parser bug in PHP core. I also updated the POC exploit code to take advantage of newer libxml2 parameter entity issues (e.g CVE-2014-0191), so that the exploit also works on newer libxml2 versions, which can help to test newer systems. More details can be found in the updated advisory under the same link: http://ift.tt/1ioJFlf The Magento/Zend Framework exploit provided was successfully tested on a new PHP version of 5.6.14, released a month ago. Regards, Dawid Golunski http://legalhackers.com
Source: Gmail -> IFTTT-> Blogger
No comments:
Post a Comment