Re: FD-V5-I5 [ GLSA 200507-01 ] PEAR XML-RPC, phpxmlrpc: PHP script injection vulnerability

[Tony Dodd <tony () wefixtech co uk>]

<snip>
> Synopsis
> ========
>
> The PEAR XML-RPC and phpxmlrpc libraries allow remote attackers to
> execute arbitrary PHP script commands.
<snip>
> Impact
> ======
>
> A remote attacker could exploit this vulnerability to execute arbitrary
> PHP script code by sending a specially crafted XML document to web
> applications making use of these libraries.
>
> Workaround
> ==========
>
> There are no known workarounds at this time.
>
> Resolution
> ==========
>
> All PEAR-XML_RPC users should upgrade to the latest available version:
>
>     # emerge --sync
>     # emerge --ask --oneshot --verbose ">=dev-php/PEAR-XML_RPC-1.3.1"
>
> All phpxmlrpc users should upgrade to the latest available version:
>
>     # emerge --sync
>     # emerge --ask --oneshot --verbose ">=dev-php/phpxmlrpc-1.1.1"
<snip>

Considering this is such a widespread issue - pretty much up to the same 
level as santy was -, it bothers me that there has been so little 
discussion.  This is going to effect the majority of the hosting 
industry; many php based web programs utilize the now opensource 
phpxmlrpc; which leaves a lot of stuff open to exploitation.

Add to that the fact that the exploits are available already, and the 
majority of people I've spoken to so far/forum posts I've read etc don't 
know how to deal with this.

There is talk from some people that simply upgrading phpxmlrpc will not 
suffice, and that you have to upgrade everything which uses it. 
Confusion abundant so to speak.

Anyone have any clarification on this?

Regards,

Tony Dodd
_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/