You are viewing a plain text version of this content. The canonical link for it is here.
Posted to dev@cocoon.apache.org by Nicolas Toper <nt...@jouve.fr> on 2004/02/04 17:36:36 UTC

[OT] Re: variable substitution in @type attributes

Well with PHP you could do a lot of awful things and since it's dynamically 
typed it's easier to write BIG STUPID things...

for instance you could something like that:
 for every parameter in the POST
	do action with it
 end for

That's something a framework like Cocoon is good at: diffuse good practices 
and avoid usual mistakes :=)

Le Mercredi 04 Février 2004 17:30, Sylvain Wallez a écrit :
> Nicolas Toper wrote:
> >Yes that's how you can hack a lot of PHP servers (yes I was young ;=))
>
> Yep it's way easier in PHP (the infamous include injection in PHPNuke)!
>
> >Le Mercredi 04 Février 2004 17:11, Sylvain Wallez a écrit :
> >>Jorg Heymans wrote:
> >>>>Moreover, the use case shows a component type coming directly for the
> >>>>request URI, which is a giant door open to "component injection" by
> >>>>providing a value for the type that is not in the expected values and
> >>>>executes arbitrary code on the server.
> >>>
> >>>Wooo hold on here, what you just described sounds a bit like a buffer
> >>>overflow type of exploit, a bit of overkill i think.
> >>>
> >>>Granted, if i can
> >>>1) upload my component
> >>>2) reload/restart the servlet container
> >>>3) get my components initialize() to run
> >>>
> >>>then i'm in business. But how feasible is this? Worst case would be if
> >>>the user configured fileuploads to go to web-inf/lib or
> >>>web-inf/classes but then you're in trouble anyway because i'll upload
> >>>my custom servlet class that overwrites the cocoon servlet.
> >>>
> >>>Understanding your concerns, but needing a higher than extremely
> >>>unlikely and isolated usecase,
> >>
> >>That's not unlikely and doesn't require uploading classes. Consider the
> >>following:
> >><map:match pattern="*-*.html">
> >>  <map:generate src="repository/{1}.xml" type="file"/>
> >>  <map:transform type="{2}"/>
> >>  <map:serialize type="html"/>
> >></map:match>
> >>
> >>Now suppose we're in a CMS and that the user can upload the initial xml
> >>file. What if {2}, which is expected to be "foo" or "bar" is set to
> >>"jxtemplate"? The uploaded file iss interpreted and can then execute
> >>arbitrary code on the server!
> >>
> >>Does this sound so unlikely?
> >>
> >>Sylvain