phpRPC decode function command execution

2006-03-13T00:00:00
ID SAINT:047741B735A0812F7E512331BE6B9403
Type saint
Reporter SAINT Corporation
Modified 2006-03-13T00:00:00

Description

Added: 03/13/2006
CVE: CVE-2006-1032
BID: 16833
OSVDB: 23514

Background

phpRPC is an xmlrpc library written in PHP supporting most databases.

Problem

A vulnerability in the **decode** function allows a remote attacker to execute arbitrary PHP commands placed inside a **<base64>** tag.

Resolution

phpRPC is no longer maintained by the author, so no fix is available. If phpRPC is installed as part of another product, contact the vendor of that product for a fix. Otherwise, remove phpRPC from the server.

References

<http://archives.neohapsis.com/archives/bugtraq/2006-02/0507.html>