XML-RPC for PHP eval() nested XML tag PHP code execution

phpxmlrpc-eval-code-execution (21842) The risk level is classified as HighHigh Risk

Description:

XML-RPC could allow a remote attacker to execute arbitrary code on the system, caused by a vulnerability regarding improper handling of PHP code passed to eval() statements. A remote attacker could exploit this vulnerability by sending specially-crafted XMLRPC requests containing nested XML tags, allowing the attacker to execute arbitrary PHP code on the affected system.

Note: This vulnerability also affects PEAR XML_RPC and multiple applications that utilize the XML-RPC for PHP library or the PEAR XML_RPC library.


Consequences:

Gain Access

Remedy:

For XML-RPC for PHP:
Upgrade to the latest version of XML-RPC for PHP (1.2 or later), available from the XML-RPC for PHP Web page. See References.

For PEAR XML_RPC:
Upgrade to the latest version of XML_RPC (1.4.5 or later), available from The PHP Group Web site. See References.

For other XML-RPC for PHP implementations:
Contact your vendor for patch or upgrade information. See References.

For Red Hat Linux:
Refer to RHSA-2005:748-05 for patch, upgrade, or suggested workaround information. See References.

For Gentoo Linux:
Refer to Gentoo Linux Security Announcement GLSA 2005-09-19 for patch, upgrade, or suggested workaround information. See References.

For Gentoo Linux (phpWebSite):
Refer to Gentoo Linux Security Announcement GLSA 2005-08-21 for patch, upgrade, or suggested workaround information. See References.

For Gentoo Linux (phpGroupWare):
Refer to Gentoo Linux Security Announcement GLSA 2005-08-20 for patch, upgrade, or suggested workaround information. See References.

For Gentoo Linux (phpWiki):
Refer to Gentoo Linux Security Announcement GLSA 2005-08-18 for patch, upgrade, or suggested workaround information. See References.

For Gentoo Linux (TikiWiki, eGroupWare):
Refer to Gentoo Linux Security Announcement GLSA 2005-08-14 for patch, upgrade, or suggested workaround information. See References.

For Gentoo Linux (Pear, phpxmlrpc):
Refer to Gentoo Linux Security Announcement GLSA 2005-08-13 for patch, upgrade, or suggested workaround information. See References.

References:

  • BugTraq Mailing List, 2005-08-15 2:34:50: [DRUPAL-SA-2005-004] Drupal 4.6.3 / 4.5.5 fixes critical XML-RPC issue.
  • CIAC INFORMATION BULLETIN P-282: PHP PEAR XML-RPC Server Package Vulnerability.
  • Fedora Legacy Update Advisory FLSA:166943: Updated php packages fix security issues.
  • Hardened-PHP Project Security Advisory 15/2005: PHPXMLRPC Remote PHP Code Injection Vulnerability.
  • The PHP Group Web site: PEAR :: Package :: XML_RPC.
  • TikiWiki Web site: ReleaseProcess186.
  • XML-RPC for PHP Web site: XML-RPC for PHP.
  • BID-14560: PHPXMLRPC and PEAR XML_RPC Remote Code Injection Vulnerability
  • CVE-2005-2498: Eval injection vulnerability in PHPXMLRPC 1.1.1 and earlier (PEAR XML-RPC for PHP), as used in multiple products including (1) Drupal, (2) phpAdsNew, (3) phpPgAds, and (4) phpgroupware, allows remote attackers to execute arbitrary PHP code via certain nested XML tags in a PHP document that should not be nested, which are injected into an eval function call, a different vulnerability than CVE-2005-1921.
  • DSA-789: php4 -- several vulnerabilities
  • DSA-798: phpgroupware -- several vulnerabilities
  • DSA-840: drupal -- missing input sanitising
  • DSA-842: egroupware -- missing input sanitising
  • GLSA-200508-13: PEAR XML-RPC, phpxmlrpc: New PHP script injection vulnerability
  • GLSA-200508-14: TikiWiki, eGroupWare: Arbitrary command execution through XML-RPC
  • GLSA-200508-18: PhpWiki: Arbitrary command execution through XML-RPC
  • GLSA-200508-20: phpGroupWare: Multiple vulnerabilities
  • GLSA-200508-21: phpWebSite: Arbitrary command execution through XML-RPC and SQL injection
  • GLSA-200509-19: PHP: Vulnerabilities in included PCRE and XML-RPC libraries
  • MDKSA-2005:146: Updated php-pear packages fix more PEAR XML-RPC vulnerabilities
  • RHSA-2005-748: php security update
  • SA16431: XML-RPC for PHP Nested XML Tags PHP Code Execution
  • SA16432: Drupal XML-RPC PHP Code Execution Vulnerability
  • SA16441: phpMyFAQ XML-RPC Nested XML Tags PHP Code Execution
  • SA16460: Nucleus CMS XML-RPC Nested XML Tags PHP Code Execution
  • SA16465: eGroupWare XML-RPC Nested XML Tags PHP Code Execution
  • SA16468: phpAdsNew Multiple Vulnerabilities
  • SA16469: phpPgAds Multiple Vulnerabilities
  • SA16491: MailWatch for MailScanner XML-RPC PHP Code Execution
  • SA16558: phpGroupWare Multiple Vulnerabilities
  • SA16563: TikiWiki XML-RPC Nested XML Tags PHP Code Execution
  • SA16693: MAXdev MD-Pro Multiple Vulnerabilities
  • SA17440: b2evolution XML-RPC PHP Code Execution Vulnerabilities
  • SUSE-SA:2005:049: php4 php5: remote code execution
  • SUSE-SA:2005:051: php4 php5: remote code execution
  • USN-171-1: PHP4 vulnerabilities

Platforms Affected:

  • Canonical Ubuntu 4.10
  • Canonical Ubuntu 5.04
  • Debian Debian Linux 3.0
  • Debian Debian Linux 3.1
  • Drupal Drupal 4.5.0
  • Drupal Drupal 4.5.1
  • Drupal Drupal 4.5.2
  • Drupal Drupal 4.5.3
  • Drupal Drupal 4.5.4
  • Drupal Drupal 4.6.0
  • Drupal Drupal 4.6.1
  • Drupal Drupal 4.6.2
  • eGroupWare eGroupWare prior to 1.0.0.009-2
  • François PLANQUE b2evolution prior to 0.9.1
  • Gentoo Linux
  • Joseph Engo phpGroupWare prior to 0.9.16.007
  • Mailwatch Mailwatch prior to 1.0.2
  • MandrakeSoft Mandrake Linux 10.0
  • MandrakeSoft Mandrake Linux 10.0 AMD64
  • MandrakeSoft Mandrake Linux 10.1
  • MandrakeSoft Mandrake Linux 10.1 X86_64
  • MandrakeSoft Mandrake Linux LE2005
  • MandrakeSoft Mandrake Linux LE2005 X86_64
  • MandrakeSoft Mandrake Linux Corporate Server 3.0
  • MandrakeSoft Mandrake Linux Corporate Server 3.0 X86_64
  • MAXdev MDPro prior to 1.0.73
  • Nucleus Group Nucleus CMS prior to 3.22
  • PEAR PEAR XML_RPC 1.3.3 and prior
  • phpPgAds phpPgAds prior to 2.0.6
  • RedHat Enterprise Linux 3 WS
  • RedHat Enterprise Linux 3 ES
  • RedHat Enterprise Linux 3 Desktop
  • RedHat Enterprise Linux 3 AS
  • RedHat Enterprise Linux 4 WS
  • RedHat Enterprise Linux 4 ES
  • RedHat Enterprise Linux 4 AS
  • RedHat Enterprise Linux 4 Desktop
  • SuSE Linux Enterprise Server 8
  • SUSE SuSE Linux 9.0
  • SUSE SuSE Linux 9.1
  • SUSE SuSE Linux 9.2
  • SUSE SuSE Linux 9.3
  • TikiWiki TikiWiki prior to 1.8.6
  • Tobias Ratschiller phpAdsNew prior to 2.0.6
  • XML-RPC for PHP XML-RPC for PHP 1.1.1 and prior

Reported:

Aug 15, 2005

The information within this database may change without notice. Use of this information constitutes acceptance for use in an AS IS condition. There are NO warranties, implied or otherwise, with regard to this information or its use. Any use of this information is at the user's risk. In no event shall the author/distributor (IBM Internet Security Systems X-Force) be held liable for any damages whatsoever arising out of or in connection with the use or spread of this information.

For corrections or additions please email xforce@iss.net

Return to the main page