ISS X-Force Database: xmlrpc-command-execution(21194): XML-RPC for PHP eval() XML with single quote PHP code execution

XML-RPC for PHP eval() XML with single quote PHP code execution

xmlrpc-command-execution (21194)

High Risk

Description:

XML-RPC for PHP (PHPXMLRPC) could allow a remote attacker to execute arbitrary code on the system, caused by a vulnerability regarding improper handling of PHP code passed to eval() statements. A remote attacker could exploit this vulnerability by sending a specially-crafted XML file that uses single quotes to escape to eval() statements via an HTTP POST request, allowing the attacker to execute arbitrary PHP code on the affected system.

Note: This vulnerability also affects PEAR XML_RPC and multiple applications that utilize the XML-RPC for PHP library or the PEAR XML_RPC library.

Consequences:

Gain Access

Remedy:

Upgrade to the latest version of PEAR XML-RPC (1.3.1 or later), available from the PEAR XML_RPC Download Web page. See References.

For phpMyFAQ:
Upgrade to the latest version of phpMyFAQ (1.4.9 or later), available from the phpMyFAQ Download Web page. See References.

For Serendipity:
Upgrade to the latest version of Serendipity (0.8.2 or later), available from the SourceForge.net Web site. See References.

For Drupal:
Upgrade to the latest version of Drupal (4.5.4 or 4.6.2 or later), available from the Drupal Web site. See References.

For MailWatch for MailScanner:
Upgrade to the latest version of MailWatch for MailScanner (1.0.1 or later), available from the SourceForge.net Web site. See References.

For TikiWiki:
Upgrade to the latest version of TikiWiki (1.8.5-r1 or later), available from the GLSA 200507-06 / Tikiwiki. See References.

For Jaws:
Upgrade to the latest version of Jaws (0.5.2 or later), available from the Jaws Web site. See References.

For phpWebSite:
Upgrade to the latest version of phpWebSite (0.10.1or later), available from the phpWebSite Security Patch Web site. See References.

For Red Hat Linux containing the PEAR XML-RPC Server package:
Upgrade to the latest PEAR XML-RPC Server package, available from the RHSA-2005:564-15 for more information. See References.

For Debian GNU/Linux 3.1 (sarge):
Upgrade to the latest version of egroupware (1.0.0.007-2.dfsg-2sarge1or later), as listed in DSA-747-1. See References.

For Debian GNU/Linux 3.1 (Sarge):
Upgrade to the latest version of phpgroupware (0.9.16.005-3.sarge0 or later), as listed in DSA-746-1 See Reference.

Upgrade to the latest version of ruby (1.8.2-7sarge1or later), as listed in DSA-748-1. See References.

For SuSE Linux:
Upgrade to the latest version of (or later), as listed in the SUSE Security Announcement SUSE-SA:2005:041. See References.

For Mandrake Linux 10.1:
Upgrade to the latest version of Ruby (1.8.1-4.3.101mdk or later), as listed in Mandrake Security Advisory MDKSA-2005:118. See References.

For Ruby:
Upgrade to the latest version of Ruby (1.8.2-r2 or later), available from the GLSA 200507-10 / ruby. See References.

For Gentoo Linux:
Upgrade to the latest version of dev-php/php (4.4.0 or later), as listed in Gentoo Linux Security Announcement GLSA 200507-15. See References.

For Gentoo Linux:
Upgrade to the latest version of phpgroupware (0.9.16.006 or later), as listed in Gentoo Linux Security Announcement GLSA 200507-08. See References.

For Gentoo Linux:
Upgrade to the latest version of dev-lang/ruby (1.8.2-r2 or later), as listed in Gentoo Linux Security Announcement GLSA 200507-10. See References.

For Gentoo Linux:
Upgrade to the latest version of phpWebSite (0.10.1-r1 or later), as listed in Gentoo Linux Security Announcement GLSA 200507-07. See References.

For Gentoo Linux:
Upgrade to the latest version of WordPress (1.5.1.3 or later), as listed in Gentoo Linux Security Announcement GLSA 200507-02. See References.

For Gentoo Linux:
Upgrade to the latest version of PEAR-XML_RPC (1.3.1 or later), as listed in Gentoo Linux Security Announcement GLSA 200507-01. See References.

For Debian GNU/Linux 3.0 (woody):
Upgrade to the latest version of Php4 (4.1.2-7.woody5. or later), as listed in DSA-789-1. See References.

For Debian GNU/Linux 3.1 (sarge):
Upgrade to the latest version of Php4 (4.3.10-16 or later), as listed in DSA-789-1. See References.

For SUSE Linux:
Upgrade to the latest version of php/pear XML::RPC, as listed below. Refer to SUSE Security Announcement SUSE-SA:2005:041. See References.

X86 Platform:
SUSE Linux 8.2: 4.3.1-180 or later

X86 and x86-64 Platforms:
SUSE Linux 9.3: 4.3.10-14.6 or later (php4) or 5.0.3-14.6 or later (php5)
SUSE Linux 9.2: 4.3.8-8.9 or later
SUSE Linux 9.1: 4.3.4-43.36 or later
SUSE Linux 9.0: 4.3.3-191 or later

Upgrade to the latest version of php4, php5, as listed below. Refer to SUSE Security Announcement SUSE-SA:2005:051. See References.

X86 and x86-64 Platforms:
SUSE Linux 9.3: 4.3.10-14.11 or later (php4) or 5.0.3-14.11 or later (php5)
SUSE Linux 9.2: 4.3.8-8.14 or later
SUSE Linux 9.1: 4.3.4-43.44 or later
SUSE Linux 9.0: 4.3.3-196 or later

For Conectiva Linux 10.0:
Upgrade to the latest version of ruby (1.8.3 or later), as listed in Conectiva Linux Security Announcement CLSA-2005:984. See References.

For Conectiva Linux 9.0 and 10.0:
Upgrade to the latest version of php4 (4.3.11 or later), as listed in Conectiva Linux Security Announcement CLSA-2005:980. See References.

For FreeMED:
Upgrade to the latest version of FreeMED (0.8.1.1 or later) available from the SourceForge.net FreeMED Project page. See References.

For HP Tru64 UNIX:
Refer to Hewlett-Packard Company Security Bulletin HPSBTU02083 for patch, upgrade or workaround information. See References.

For Ubuntu Linux:
Refer to USN-147-1 and USN-147-2 for patch, upgrade, or suggested workaround information. See References.

For other distributions:
Contact your vendor for upgrade or patch information.

References:

CIAC INFORMATION BULLETIN P-312: Apple Security Update 2005-008.
Conectiva Linux Security Announcemen CLSA-2005:980: Fix for php4 vulnerability.
Conectiva Linux Security Announcement CLSA-2005:984: Fix for security vulnerability in ruby.
Drupal Web site: Drupal.
DSA 748-1: ruby1.8 -- bad default value.
Hewlett-Packard Company Security Bulletin HPSBTU02083 : SSRT051069 - HP Tru64 Unix Secure Web Server (SWS 6.4.1 and earlier) PHP/XMLRPC Remote Unauthorized Execution of Arbitrary Code.
Multiple vulnerabilities in Phpwebsite: Hackers Centers: Internet Security Archive: Multiple vulnerabilities in Phpwebsite.
Nobuhiro IMAI Web page: arbitrary command execution on XMLRPC server.
PEAR Web page: What is PEAR?.
PEAR XML_RPC Download Web page: Package Information: XML_RPC.
phpGroupWare Web site: phpGroupWare.org.
phpMyFAQ Download Web page: Stable versions.
phpWebSite Security Patch Web site: phpWebSite Security Patch.
phpWebSite Web site: phpWebSite.
Ruby Advisory # XMLRPC.iPIMethods Vulnerability: # XMLRPC.iPIMethods Vulnerability.
SourceForge.net: Project: MailWatch for MailScanner: File List.
SourceForge.net: Project: Serendipity PHP Weblog System: File List.
SourceForge.net: About FreeMED Project.
BID-14088: XML-RPC for PHP Remote Code Injection Vulnerability
BID-14110: Drupal Arbitrary PHP Code Execution Vulnerability
BID-14166: PHPWebSite Index.PHP Directory Traversal Vulnerability
CVE-2005-1921: Eval injection vulnerability in PEAR XML_RPC 1.3.0 and earlier (aka XML-RPC or xmlrpc) and PHPXMLRPC (aka XML-RPC For PHP or php-xmlrpc) 1.1 and earlier, as used in products such as (1) WordPress, (2) Serendipity, (3) Drupal, (4) egroupware, (5) MailWatch, (6) TikiWiki, (7) phpWebSite, (8) Ampache, and others, allows remote attackers to execute arbitrary PHP code via an XML file, which is not properly sanitized before being used in an eval statement.
CVE-2005-2106: Unknown vulnerability in Drupal 4.5.0 through 4.5.3, 4.6.0, and 4.6.1 allows remote attackers to execute arbitrary PHP code via a public comment or posting.
DSA-745: drupal -- input validation errors
DSA-746: phpgroupware -- input validation error
DSA-747: egroupware -- input validation error
DSA-789: php4 -- several vulnerabilities
GLSA-200507-01: PEAR XML-RPC, phpxmlrpc: PHP script injection vulnerability
GLSA-200507-02: WordPress: Multiple vulnerabilities
GLSA-200507-06: TikiWiki: Arbitrary command execution through XML-RPC
GLSA-200507-07: phpWebSite: Multiple vulnerabilities
GLSA-200507-08: phpGroupWare, eGroupWare: PHP script injection vulnerability
GLSA-200507-15: PHP: Script injection through XML-RPC
MDKSA-2005:109: Updated php-pear packages fix remotely exploitable vulnerability
RHSA-2005-564: php security update
SA15810: phpMyFAQ XML-RPC PHP Code Execution Vulnerability
SA15852: XML-RPC for PHP PHP Code Execution Vulnerability
SA15855: PostNuke XML-RPC Library PHP Code Execution Vulnerability
SA15861: PEAR XML_RPC PHP Code Execution Vulnerability
SA15872: Drupal PHP Code Execution Vulnerabilities
SA15883: phpAdsNew XML-RPC PHP Code Execution Vulnerability
SA15884: phpPgAds XML-RPC PHP Code Execution Vulnerability
SA15895: Nucleus XML-RPC PHP Code Execution Vulnerability
SA15903: PhpWiki XML-RPC PHP Code Execution Vulnerability
SA15904: BLOG:CMS XML-RPC PHP Code Execution Vulnerability
SA15916: eGroupWare XML-RPC PHP Code Execution Vulnerability
SA15917: phpGroupWare XML-RPC PHP Code Execution Vulnerability
SA15922: Jaws "path" File Inclusion and XML-RPC PHP Code Execution
SA15944: TikiWiki XML-RPC PHP Code Execution Vulnerability
SA15947: MailWatch for MailScanner XML-RPC PHP Code Execution
SA15957: Ampache XML-RPC PHP Code Execution Vulnerability
SA16001: phpWebSite PEAR XML_RPC PHP Code Execution
SA16339: XOOPS PHPMailer and XML-RPC Vulnerabilities
SA16693: MAXdev MD-Pro Multiple Vulnerabilities
SA17440: b2evolution XML-RPC PHP Code Execution Vulnerabilities
SA17674: FreeMED XML_RPC PHP Code Execution Vulnerability
SA18003: HP Tru64 UNIX Secure Web Server XML_RPC PHP Code Execution Vulnerability
SECTRACK ID: 1015336: HP Secure Web Server for Tru64 UNIX XMLRPC Bug Lets Remote Users Execute Arbitrary PHP Code
SUSE-SA:2005:041: php/pear XML::RPC: remote code execution
SUSE-SA:2005:049: php4 php5: remote code execution
SUSE-SA:2005:051: php4 php5: remote code execution
SUSE-SR:2005:018: SUSE Security Summary Report
US-CERT VU#442845: Multiple PHP XML-RPC implementations vulnerable to code injection
USN-147-1: PHP XMLRPC vulnerability
USN-147-2: Fixed php4-pear packages for USN-147-1
VUPEN/ADV-2005-1031: phpWebSite XML-RPC Library Remote Code Execution Vulnerability
VUPEN/ADV-2005-2827: HP Tru64 Unix Secure Web Server Remote Code Execution Vulnerability

Platforms Affected:

Canonical Ubuntu 4.10
Canonical Ubuntu 5.04
Conectiva Linux 10
Conectiva Linux 9.0
Debian Debian Linux 3.0
Debian Debian Linux 3.1
Drupal Drupal prior to 4.5.4
Drupal Drupal prior to 4.6.2
FedoraProject Fedora Core 3
FedoraProject Fedora Core 4
FreeMED FreeMED prior to 0.8.1.1
Gentoo Linux
Jaws Jaws prior to 0.5.2
MandrakeSoft Mandrake Linux 10.0 AMD64
MandrakeSoft Mandrake Linux 10.0
MandrakeSoft Mandrake Linux 10.1
MandrakeSoft Mandrake Linux 10.1 X86_64
MandrakeSoft Mandrake Linux LE2005
MandrakeSoft Mandrake Linux LE2005 X86_64
MandrakeSoft Mandrake Linux Corporate Server 3.0 X86_64
MandrakeSoft Mandrake Linux Corporate Server 3.0
Novell Open Enterprise Server
Novell Open Enterprise Server
PEAR PEAR XML_RPC prior to 1.3.1
PHP PHP 1.0
RedHat Enterprise Linux 3 Desktop
RedHat Enterprise Linux 3 AS
RedHat Enterprise Linux 3 ES
RedHat Enterprise Linux 3 WS
RedHat Enterprise Linux 4 AS
RedHat Enterprise Linux 4 ES
RedHat Enterprise Linux 4 Desktop
RedHat Enterprise Linux 4 WS
RedHat Enterprise Linux AS
Ruby-lang Ruby 1.8.2-r2 and prior
s9y Serendipity prior to 0.8.2
SuSE Linux Enterprise Server 8
SuSE Linux Enterprise Server 9
SUSE SuSE Linux 8.2
SUSE SuSE Linux 9.0
SUSE SuSE Linux 9.1
SUSE SuSE Linux 9.2
SUSE SuSE Linux 9.3
SuSE SuSE SLES 9
Thorsten Rinne PhpMyFAQ 1.4
Thorsten Rinne PhpMyFAQ 1.5
TikiWiki TikiWiki 1.8.5-r1 and prior

Reported:

Jun 29, 2005

The information within this database may change without notice. Use of this information constitutes acceptance for use in an AS IS condition. There are NO warranties, implied or otherwise, with regard to this information or its use. Any use of this information is at the user's risk. In no event shall the author/distributor (IBM Internet Security Systems X-Force) be held liable for any damages whatsoever arising out of or in connection with the use or spread of this information.

For corrections or additions please email xforce@iss.net

Return to the main page