XML-RPC for PHP eval() nested XML tag PHP code execution

phpxmlrpc-eval-code-execution (21842)

High Risk

Description:

XML-RPC could allow a remote attacker to execute arbitrary code on the system, caused by a vulnerability regarding improper handling of PHP code passed to eval() statements. A remote attacker could exploit this vulnerability by sending specially-crafted XMLRPC requests containing nested XML tags, allowing the attacker to execute arbitrary PHP code on the affected system.

Note: This vulnerability also affects PEAR XML_RPC and multiple applications that utilize the XML-RPC for PHP library or the PEAR XML_RPC library.

Platforms Affected:

• Canonical, Ubuntu 4.10
• Canonical, Ubuntu 5.04
• Debian, Debian Linux 3.0
• Debian, Debian Linux 3.1
• Drupal, Drupal 4.5.0
• Drupal, Drupal 4.5.1
• Drupal, Drupal 4.5.2
• Drupal, Drupal 4.5.3
• Drupal, Drupal 4.5.4
• Drupal, Drupal 4.6.0
• Drupal, Drupal 4.6.1
• Drupal, Drupal 4.6.2
• eGroupWare, eGroupWare prior to 1.0.0.009-2
• François PLANQUE, b2evolution prior to 0.9.1
• Gentoo, Linux
• Joseph Engo, phpGroupWare prior to 0.9.16.007
• Mailwatch, Mailwatch prior to 1.0.2
• MandrakeSoft, Mandrake Linux 10.0
• MandrakeSoft, Mandrake Linux 10.0 AMD64
• MandrakeSoft, Mandrake Linux 10.1
• MandrakeSoft, Mandrake Linux 10.1 X86_64
• MandrakeSoft, Mandrake Linux LE2005 X86_64
• MandrakeSoft, Mandrake Linux LE2005
• MandrakeSoft, Mandrake Linux Corporate Server 3.0
• MandrakeSoft, Mandrake Linux Corporate Server 3.0 X86_64
• MAXdev, MDPro prior to 1.0.73
• Nucleus Group, Nucleus CMS prior to 3.22
• PEAR, PEAR XML_RPC 1.3.3 and prior
• phpPgAds, phpPgAds prior to 2.0.6
• RedHat, Enterprise Linux 3 ES
• RedHat, Enterprise Linux 3 AS
• RedHat, Enterprise Linux 3 Desktop
• RedHat, Enterprise Linux 3 WS
• RedHat, Enterprise Linux 4 Desktop
• RedHat, Enterprise Linux 4 WS
• RedHat, Enterprise Linux 4 ES
• RedHat, Enterprise Linux 4 AS
• SuSE, Linux Enterprise Server 8
• SuSE, SuSE Linux 9.0
• SuSE, SuSE Linux 9.1
• SuSE, SuSE Linux 9.2
• SuSE, SuSE Linux 9.3
• TikiWiki, TikiWiki prior to 1.8.6
• Tobias Ratschiller, phpAdsNew prior to 2.0.6
• XML-RPC for PHP, XML-RPC for PHP 1.1.1 and prior

Remedy:

For XML-RPC for PHP:
Upgrade to the latest version of XML-RPC for PHP (1.2 or later), available from the XML-RPC for PHP Web page. See References.

For PEAR XML_RPC:
Upgrade to the latest version of XML_RPC (1.4.5 or later), available from The PHP Group Web site. See References.

For other XML-RPC for PHP implementations:
Contact your vendor for patch or upgrade information. See References.

For Red Hat Linux:
Refer to RHSA-2005:748-05 for patch, upgrade, or suggested workaround information. See References.

For Gentoo Linux:
Refer to Gentoo Linux Security Announcement GLSA 2005-09-19 for patch, upgrade, or suggested workaround information. See References.

For Gentoo Linux (phpWebSite):
Refer to Gentoo Linux Security Announcement GLSA 2005-08-21 for patch, upgrade, or suggested workaround information. See References.

For Gentoo Linux (phpGroupWare):
Refer to Gentoo Linux Security Announcement GLSA 2005-08-20 for patch, upgrade, or suggested workaround information. See References.

For Gentoo Linux (phpWiki):
Refer to Gentoo Linux Security Announcement GLSA 2005-08-18 for patch, upgrade, or suggested workaround information. See References.

For Gentoo Linux (TikiWiki, eGroupWare):
Refer to Gentoo Linux Security Announcement GLSA 2005-08-14 for patch, upgrade, or suggested workaround information. See References.

For Gentoo Linux (Pear, phpxmlrpc):
Refer to Gentoo Linux Security Announcement GLSA 2005-08-13 for patch, upgrade, or suggested workaround information. See References.

Consequences:

Gain Access

References:

• BugTraq Mailing List, 2005-08-15 2:34:50, [DRUPAL-SA-2005-004] Drupal 4.6.3 / 4.5.5 fixes critical XML-RPC issue at http://marc.theaimsgroup.com/?l=bugtraq&m=112412415822890&w=2.
• CIAC INFORMATION BULLETIN P-282, PHP PEAR XML-RPC Server Package Vulnerability at http://www.ciac.org/ciac/bulletins/p-282.shtml.
• Fedora Legacy Update Advisory FLSA:166943, Updated php packages fix security issues at http://www.fedoralegacy.org/updates/FC2/2005-11-28-FLSA_2005_166943__Updated_php_packages_fix_security_issues.html.
• Hardened-PHP Project Security Advisory 15/2005, PHPXMLRPC Remote PHP Code Injection Vulnerability at http://www.hardened-php.net/advisory_152005.67.html .
• The PHP Group Web site, PEAR :: Package :: XML_RPC at http://pear.php.net/package/XML_RPC/.
• TikiWiki Web site, ReleaseProcess186 at http://tikiwiki.org/ReleaseProcess186.
• XML-RPC for PHP Web site, XML-RPC for PHP at http://phpxmlrpc.sourceforge.net/.
• BID-14560: PHPXMLRPC and PEAR XML_RPC Remote Code Injection Vulnerability
• CVE-2005-2498: Eval injection vulnerability in PHPXMLRPC 1.1.1 and earlier (PEAR XML-RPC for PHP), as used in multiple products including (1) Drupal, (2) phpAdsNew, (3) phpPgAds, and (4) phpgroupware, allows remote attackers to execute arbitrary PHP code via certain nested XML tags in a PHP document that should not be nested, which are injected into an eval function call, a different vulnerability than CVE-2005-1921.
• DSA-789: php4 -- several vulnerabilities
• DSA-798: phpgroupware -- several vulnerabilities
• DSA-840: drupal -- missing input sanitising
• DSA-842: egroupware -- missing input sanitising
• GLSA-200508-13: PEAR XML-RPC, phpxmlrpc: New PHP script injection vulnerability
• GLSA-200508-14: TikiWiki, eGroupWare: Arbitrary command execution through XML-RPC
• GLSA-200508-18: PhpWiki: Arbitrary command execution through XML-RPC
• GLSA-200508-20: phpGroupWare: Multiple vulnerabilities
• GLSA-200508-21: phpWebSite: Arbitrary command execution through XML-RPC and SQL injection
• GLSA-200509-19: PHP: Vulnerabilities in included PCRE and XML-RPC libraries
• MDKSA-2005:146: Updated php-pear packages fix more PEAR XML-RPC vulnerabilities
• RHSA-2005-748: php security update
• SA16431: XML-RPC for PHP Nested XML Tags PHP Code Execution
• SA16432: Drupal XML-RPC PHP Code Execution Vulnerability
• SA16441: phpMyFAQ XML-RPC Nested XML Tags PHP Code Execution
• SA16460: Nucleus CMS XML-RPC Nested XML Tags PHP Code Execution
• SA16465: eGroupWare XML-RPC Nested XML Tags PHP Code Execution
• SA16468: phpAdsNew Multiple Vulnerabilities
• SA16469: phpPgAds Multiple Vulnerabilities
• SA16491: MailWatch for MailScanner XML-RPC PHP Code Execution
• SA16558: phpGroupWare Multiple Vulnerabilities
• SA16563: TikiWiki XML-RPC Nested XML Tags PHP Code Execution
• SA16693: MAXdev MD-Pro Multiple Vulnerabilities
• SA17440: b2evolution XML-RPC PHP Code Execution Vulnerabilities
• SUSE-SA:2005:049: php4 php5: remote code execution
• SUSE-SA:2005:051: php4 php5: remote code execution
• USN-171-1: PHP4 vulnerabilities

Reported:

Aug 15, 2005

The information within this database may change without notice. Use of this information constitutes acceptance for use in an AS IS condition. There are NO warranties, implied or otherwise, with regard to this information or its use. Any use of this information is at the user's risk. In no event shall the author/distributor (IBM Internet Security Systems X-Force) be held liable for any damages whatsoever arising out of or in connection with the use or spread of this information.

For corrections or additions please email xforce@iss.net

Return to the main page