Full Disclosure mailing list archives
Re: FD-V5-I5 [ GLSA 200507-01 ] PEAR XML-RPC, phpxmlrpc: PHP script injection vulnerability
From: Tony Dodd <tony () wefixtech co uk>
Date: Tue, 05 Jul 2005 13:33:35 +0200
<snip>
Synopsis ======== The PEAR XML-RPC and phpxmlrpc libraries allow remote attackers to execute arbitrary PHP script commands.
<snip>
Impact ====== A remote attacker could exploit this vulnerability to execute arbitrary PHP script code by sending a specially crafted XML document to web applications making use of these libraries. Workaround ========== There are no known workarounds at this time. Resolution ========== All PEAR-XML_RPC users should upgrade to the latest available version: # emerge --sync # emerge --ask --oneshot --verbose ">=dev-php/PEAR-XML_RPC-1.3.1" All phpxmlrpc users should upgrade to the latest available version: # emerge --sync # emerge --ask --oneshot --verbose ">=dev-php/phpxmlrpc-1.1.1"
<snip>Considering this is such a widespread issue - pretty much up to the same level as santy was -, it bothers me that there has been so little discussion. This is going to effect the majority of the hosting industry; many php based web programs utilize the now opensource phpxmlrpc; which leaves a lot of stuff open to exploitation.
Add to that the fact that the exploits are available already, and the majority of people I've spoken to so far/forum posts I've read etc don't know how to deal with this.
There is talk from some people that simply upgrading phpxmlrpc will not suffice, and that you have to upgrade everything which uses it. Confusion abundant so to speak.
Anyone have any clarification on this? Regards, Tony Dodd _______________________________________________ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
Current thread:
- Re: FD-V5-I5 [ GLSA 200507-01 ] PEAR XML-RPC, phpxmlrpc: PHP script injection vulnerability Tony Dodd (Jul 05)
- Re: Re: FD-V5-I5 [ GLSA 200507-01 ] PEAR XML-RPC, phpxmlrpc: PHP script injection vulnerability Sebastian Nohn (Jul 05)