Multiple PHP XML-RPC implementations vulnerable to code injection

Overview

A vulnerability in a common PHP extension module could allow a remote attacker to execute code on a vulnerable system.

Description

XML-RPC is a specification and a set of implementations that allow software running on disparate operating systems and in different environments to make procedure calls over the Internet. XML-RPC uses HTTP for the transport protocol and XML for the data encoding. Several independent implementations of XML-RPC exist for PHP applications.

A common flaw in the way that several XML-RPC PHP implementations pass unsanitized user input to eval() within the XML-RPC server results in a vulnerability that could allow a remote attacker to execute code on a vulnerable system. An attacker with the ability to upload a crafted XML file could insert PHP code that would then be executed by the web application using the vulnerable XML-RPC code.

---

Impact

Remote attackers may be able to execute PHP code of their choosing on a vulnerable system. The code would be executed in the context of the server program that runs the corresponding web application. Secondary impacts of a compromised web service account include, but are not limited to, malicious modification of web site data, information disclosure, and access that may be leveraged to gain additional system privileges.

---

Solution

Upgrade or apply a patch

Various vendors have published patches and updated versions of their software to address this issue. Please see the Systems Affected section of this document for information on a specific product or vendor.

Note that because the vulnerability exists in a common extension module, any application that uses the flawed code, including custom applications, may expose the vulnerability. Developers that bundle their own versions of the XML-RPC library with their application should exercise extra care to evaluate their own potential use of the vulnerable code.

---

Vendor Information

442845

Filter by status: All Affected Not Affected Unknown

Filter by content: __ Additional information available

__ Sort by: Status Alphabetical

Expand all

Javascript is disabled. Click here to view vendors.

Drupal __ Affected

Updated: July 06, 2005

Status

Affected

Vendor Statement

We have not received a statement from the vendor.

Vendor Information

The vendor has not provided us with any further information regarding this vulnerability.

Addendum

The Drupal development team has published an Drupal security advisory DRUPAL-SA-2005-003 in response to this issue. Users are encouraged to review this advisory and upgrade to a fixed version of the software that it refers to.

If you have feedback, comments, or additional information about this vulnerability, please send us [email](<mailto:[email protected]?Subject=VU%23442845 Feedback>).

Gentoo Linux __ Affected

Updated: July 08, 2005

Status

Affected

Vendor Statement

We have not received a statement from the vendor.

Vendor Information

The vendor has not provided us with any further information regarding this vulnerability.

Addendum

The Gentoo Security Project has published the following Gentoo Linux Security Advisories in response to this issue:

* [GLSA 200507-01](<http://www.gentoo.org/security/en/glsa/glsa-200507-01.xml>)
* [GLSA 200507-02](<http://www.gentoo.org/security/en/glsa/glsa-200507-02.xml>)
* [GLSA 200507-06](<http://www.gentoo.org/security/en/glsa/glsa-200507-06.xml>)

Users are encouraged to review this advisories and apply the patches that they refer to.

If you have feedback, comments, or additional information about this vulnerability, please send us [email](<mailto:[email protected]?Subject=VU%23442845 Feedback>).

Mandriva, Inc. __ Affected

Updated: July 06, 2005

Status

Affected

Vendor Statement

We have not received a statement from the vendor.

Vendor Information

The vendor has not provided us with any further information regarding this vulnerability.

Addendum

Mandriva Inc. has published Mandriva Linux Security Update Advisories MDKSA-2005:108 and MDKSA-2005:109 in response to this issue. Users are encouraged to review these advisories and apply the patches they refer to.

If you have feedback, comments, or additional information about this vulnerability, please send us [email](<mailto:[email protected]?Subject=VU%23442845 Feedback>).

PEAR XML-RPC __ Affected

Updated: July 06, 2005

Status

Affected

Vendor Statement

We have not received a statement from the vendor.

Vendor Information

The vendor has not provided us with any further information regarding this vulnerability.

Addendum

The PHP Extension and Application Repository (PEAR) project has released version 1.3.1 of the XML_RPC package to address this issue. Users of this software and developers of applications that rely on it are strongly encouraged to upgrade to the fixed version of the code.

If you have feedback, comments, or additional information about this vulnerability, please send us [email](<mailto:[email protected]?Subject=VU%23442845 Feedback>).

PHPXMLRPC __ Affected

Updated: July 06, 2005

Status

Affected

Vendor Statement

We have not received a statement from the vendor.

Vendor Information

The vendor has not provided us with any further information regarding this vulnerability.

Addendum

The XML-RPC for PHP (a.k.a PHPXMLRPC) project has released version 1.1.1 of the software in response to this issue. Users of this software and developers of applications that rely on it are strongly encouraged to upgrade to the fixed version of the code.

If you have feedback, comments, or additional information about this vulnerability, please send us [email](<mailto:[email protected]?Subject=VU%23442845 Feedback>).

PostNuke __ Affected

Updated: July 06, 2005

Status

Affected

Vendor Statement

We have not received a statement from the vendor.

Vendor Information

The vendor has not provided us with any further information regarding this vulnerability.

Addendum

The PostNuke development team has published PostNuke CMS Security Advisory PNSA 2005-3 in response to this issue. Users are encouraged to review this advisory and apply the patches it refers to.

If you have feedback, comments, or additional information about this vulnerability, please send us [email](<mailto:[email protected]?Subject=VU%23442845 Feedback>).

Red Hat, Inc. __ Affected

Updated: December 22, 2005

Status

Affected

Vendor Statement

`Updates are available for Red Hat Enterprise Linux 3 and 4 to correct this
issue. Red Hat Enterprise Linux 2.1 was not affected by this issue. New
php packages along with our advisory are available at the URL below and by
using the Red Hat Network ‘up2date’ tool.

Please note that when using the default SELinux “targeted” policy on Red
Hat Enterprise Linux 4, the impact of this issue is reduced since the
scripts executed by PHP are constrained within the httpd_sys_script_t
security context.

<http://rhn.redhat.com/errata/RHSA-2005-564.html&gt;`

Vendor Information

The vendor has not provided us with any further information regarding this vulnerability.

Serendipity __ Affected

Updated: July 08, 2005

Status

Affected

Vendor Statement

We have not received a statement from the vendor.

Vendor Information

The vendor has not provided us with any further information regarding this vulnerability.

Addendum

The Serendipity Weblog System developers have published a fixed version of the software (version 0.8.2) and a security announcement in response to this issue. Users are encouraged to review the announcement and upgrade to the fixed version of the software that it describes.

If you have feedback, comments, or additional information about this vulnerability, please send us [email](<mailto:[email protected]?Subject=VU%23442845 Feedback>).

Trustix Secure Linux __ Affected

Updated: July 06, 2005

Status

Affected

Vendor Statement

We have not received a statement from the vendor.

Vendor Information

The vendor has not provided us with any further information regarding this vulnerability.

Addendum

The Trustix Security Team has published Trustix Secure Linux Advisory #2005-0031 in response to this issue. Users are encouraged to review this advisory and apply the patches it refers to.

If you have feedback, comments, or additional information about this vulnerability, please send us [email](<mailto:[email protected]?Subject=VU%23442845 Feedback>).

Ubuntu Linux __ Affected

Updated: July 08, 2005

Status

Affected

Vendor Statement

We have not received a statement from the vendor.

Vendor Information

The vendor has not provided us with any further information regarding this vulnerability.

Addendum

The Ubuntu development team has published Ubuntu Security Notices USN-147-1 and USN-147-2 in response to this issue. Users are encouraged to review these notices and apply the patches they refer to.

If you have feedback, comments, or additional information about this vulnerability, please send us [email](<mailto:[email protected]?Subject=VU%23442845 Feedback>).

WordPress __ Affected

Updated: July 06, 2005

Status

Affected

Vendor Statement

We have not received a statement from the vendor.

Vendor Information

The vendor has not provided us with any further information regarding this vulnerability.

Addendum

The WordPress development team has released WordPress version 1.5.1.3 in response to this issue. Users are encouraged to upgrade to this fixed version of the software.

If you have feedback, comments, or additional information about this vulnerability, please send us [email](<mailto:[email protected]?Subject=VU%23442845 Feedback>).

XOOPS __ Affected

Updated: July 06, 2005

Status

Affected

Vendor Statement

We have not received a statement from the vendor.

Vendor Information

The vendor has not provided us with any further information regarding this vulnerability.

Addendum

The XOOPS development team has released XOOPS version 2.0.13 in response to this issue. Users are encouraged to upgrade to this fixed version of the software.

If you have feedback, comments, or additional information about this vulnerability, please send us [email](<mailto:[email protected]?Subject=VU%23442845 Feedback>).

phpMyFAQ __ Affected

Updated: July 06, 2005

Status

Affected

Vendor Statement

We have not received a statement from the vendor.

Vendor Information

The vendor has not provided us with any further information regarding this vulnerability.

Addendum

The phpMyFAQ development team has released phpMyFAQ Security Advisory 2005-06-29 in response to this issue. Users are encouraged to review this advisory and upgrade to the fixed version of the software it refers to.

If you have feedback, comments, or additional information about this vulnerability, please send us [email](<mailto:[email protected]?Subject=VU%23442845 Feedback>).

View all 13 vendors __View less vendors __

CVSS Metrics

Group	Score	Vector
Base
Temporal
Environmental

References

• <http://www.hardened-php.net/advisory-022005.php&gt;
• <http://secunia.com/advisories/15861/&gt;
• <http://secunia.com/advisories/15862/&gt;
• <http://secunia.com/advisories/15895/&gt;
• <http://secunia.com/advisories/15884/&gt;
• <http://secunia.com/advisories/15883/&gt;
• http://news.postnuke.com/modules.php?op=modload&name=News&file=article&sid=2699
• <http://secunia.com/advisories/15852/&gt;
• <http://secunia.com/advisories/15855/&gt;
• <http://secunia.com/advisories/15810/&gt;
• <http://secunia.com/advisories/15872/&gt;
• <http://secunia.com/advisories/15922/&gt;
• <http://securitytracker.com/alerts/2005/Jun/1014327.html&gt;
• http://www.gulftech.org/?node=research&article_id=00088-07022005
• http://www.gulftech.org/?node=research&article_id=00087-07012005
• <http://www.securityfocus.com/bid/14088&gt;

Acknowledgements

James Bercegay of the GulfTech Security Research Team reported this issue.

This document was written by Chad R Dougherty.

Other Information

CVE IDs:	CVE-2005-1921
Severity Metric:	20.75 Date Public: