Lucene search
K
Database
Vendors
Products
Years
CVSS
Scanner
Agent Scanning
API Scanning
Manual Audit
Perimeter Scanner
Scanning
Projects
Email
Webhook
Plugins
Resources
Documents
Blog
Glossary
FAQ
Pricing
Contacts
About Us
Partners
Branding Guideline
securityvulnsSecurityvulnsSECURITYVULNS:DOC:9473
HistoryAug 15, 2005 - 12:00 a.m.

[Full-disclosure] Advisory 14/2005: PEAR XML_RPC Remote PHP Code Injection Vulnerability

2005-08-1500:00:00
vulners.com
15
JSON

Vulnerability
Reply-To:

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

                    Hardened-PHP Project
                    www.hardened-php.net

                  -= Security  Advisory =-


 Advisory: PEAR XML_RPC Remote PHP Code Injection Vulnerability

Release Date: 2005/08/15
Last Modified: 2005/08/15
Author: Stefan Esser [[email protected]]

Application: PEAR XML_RPC <= 1.3.3
Severity: A malformed XMLRPC request can result in execution
of arbitrary injected PHP code
Risk: Critical
Vendor Status: Vendor has released an updated version
References: http://www.hardened-php.net/advisory_142005.66.html

Overview:

PEAR XML_RPC is the PEAR-ified version of Useful Inc's XML-RPC
for PHP, which is a PHP implementation of the XML-RPC protocol.
It has support for HTTP transport, proxies and authentication.

After Gulftech released their PHP code injection advisory in the
end of June 2005 we sheduled the code for an audit from our side.
Unfortunately we were able to find another vulnerability in the
XML-RPC libraries that allows injection of arbitrary PHP code
into eval() statements.

Unlike the last vulnerability this is not caused by wrongly
implemented escaping of the user input, but by an improper handling
of XMLRPC requests and responses that are malformed in a certain
way.

To get rid of this and future eval() injection vulnerabilities, the
Hardened-PHP Project has developed together with the maintainers
of both libraries a fix that completely eliminates the use of
eval() from the library.

Details:

When the library parses XMLRPC requests/repsonses, it constructs
a string of PHP code, that is later evaluated. This means any
failure to properly handle the construction of this string can
result in arbitrary execution of PHP code.

In late June a problem was discovered, that certain XML tags where
using single quotes around embedded user input and single quotes
where not escaped. This allowed a typical injection attack. While
all these escaping problems were believed to be fixed, I was able
to find another problems, that allows injection of arbitrary code.

This new injection vulnerability is cause by not properly handling
the situation, when certain XML tags are nested in the parsed
document, that were never meant to be nested at all. This can be
easily exploited in a way, that user-input is placed outside of
string delimiters within the evaluation string, which obviously
results in arbitrary code execution.

Therefore we have added a XML tag nesting verification into the
code and additionally removed all call to eval(). Therefore the
resulting patch eliminates the current and the possibility for
future eval() holes. Additionally this means from the diff
between a vulnerable and a not vulnerable version it is not
possible to find the position of the flaw easily.

CVE Information:

The Common Vulnerabilities and Exposures project (cve.mitre.org)
has assigned the name CAN-2005-2498 to this vulnerability.

Proof of Concept:

The Hardened-PHP Project is not going to release an exploit for
this vulnerability to the public.

Disclosure Timeline:

  1. July 2005 - Contact with both library vendors established.
    Issue is discussed and a patch that eliminates
    the use of eval() is developed, improved and
    tested.
  2. August 2005 - Affected applications are contacted and asked
    for beta test of the patches.
  3. August 2005 - Vendors release bugfixed versions, after
    information about this vulnerability leaked
    through one of the affected applications to
    the public.
  4. August 2005 - Public disclosure

Recommendation:

We strongly recommend to upgrade to the vendor supplied new
version, that completely eliminates all calls to eval().

  PEAR XML_RPC 1.4.0
  http://pear.php.net/get/XML_RPC-1.4.0.tgz

You can also upgrade XML_RPC with the pear commandline client,
but because this uses a XML_RPC connection to retrieve the data
it is not recommended.

GPG-Key:

http://www.hardened-php.net/hardened-php-signature-key.asc

pub 1024D/0A864AA1 2004-04-17 Hardened-PHP Signature Key
Key fingerprint = 066F A6D0 E57E 9936 9082 7E52 4439 14CC 0A86 4AA1

Copyright 2005 Stefan Esser / Hardened-PHP Project. All rights reserved.

-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.0.6 (GNU/Linux)
Comment: For info see http://www.gnupg.org

iD8DBQFDAJF0RDkUzAqGSqERAku9AKCjcTZcuAAQfTaiDQcFVrBzSBQ5cwCdEJmO
5hlRikPiTLgdsdvYrukOS9s=
=/PFy
-----END PGP SIGNATURE-----

Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/

Related

nessus 22
openvas 17
gentoo 6
centos 2
debian 8
osv 3
redhat 1
securityvulns 2
freebsd 1
ubuntucve 1
slackware 3
cve 1
suse 2
ubuntu 1
nessus
nessus
RHEL 3 / 4 : php (RHSA-2005:748)
2005-08-23 00:00:00
GLSA-200508-18 : PhpWiki: Arbitrary command execution through XML-RPC
2005-08-30 00:00:00
Debian DSA-840-1 : drupal - missing input sanitising
2005-10-05 00:00:00
openvas
openvas
Debian Security Advisory DSA 842-1 (egroupware)
2008-01-17 00:00:00
Gentoo Security Advisory GLSA 200508-14 (tikiwiki egroupware)
2008-09-24 00:00:00
Gentoo Security Advisory GLSA 200508-18 (phpwiki)
2008-09-24 00:00:00
gentoo
gentoo
phpWebSite: Arbitrary command execution through XML-RPC and SQL injection
2005-08-31 00:00:00
PEAR XML-RPC, phpxmlrpc: New PHP script injection vulnerability
2005-08-24 00:00:00
TikiWiki, eGroupWare: Arbitrary command execution through XML-RPC
2005-08-24 00:00:00
centos
centos
php security update
2005-08-31 21:06:57
php security update
2005-08-19 18:20:20
debian
debian
[SECURITY] [DSA 840-1] New drupal packages fix remote command execution
2005-10-04 07:07:56
[SECURITY] [DSA 842-1] New egroupware packages fix arbitrary code execution
2005-10-04 15:11:05
[SECURITY] [DSA 842-1] New egroupware packages fix arbitrary code execution
2005-10-04 15:11:05
osv
osv
drupal - missing input sanitising
2005-10-04 00:00:00
phpgroupware - several
2005-09-02 00:00:00
php4 - several
2005-08-29 00:00:00
redhat
redhat
(RHSA-2005:748) php security update
2005-08-19 00:00:00
securityvulns
securityvulns
[Full-disclosure] Advisory 15/2005: PHPXMLRPC Remote PHP Code Injection Vulnerability
2005-08-15 00:00:00
[Full-disclosure] [DRUPAL-SA-2005-004] Drupal 4.6.3 / 4.5.5 fixes critical XML-RPC issue
2005-08-15 00:00:00
freebsd
freebsd
pear-XML_RPC -- remote PHP code injection vulnerability
2005-08-15 00:00:00
ubuntucve
ubuntucve
CVE-2005-2498
2005-08-15 00:00:00
slackware
slackware
php5 in Slackware 10.1
2005-09-08 15:55:19
PHP
2005-08-30 15:54:11
slackware-current security updates
2005-09-08 15:55:02
cve
cve
CVE-2005-2498
2005-08-15 04:00:00
suse
suse
remote code execution in php4, php5
2005-08-30 14:35:22
local command execution, authentication bypass, in apache2
2005-09-12 13:00:50
ubuntu
ubuntu
PHP4 vulnerabilities
2005-08-21 00:00:00
JSON
Related for SECURITYVULNS:DOC:9473
nessus22openvas17gentoo6centos2debian8osv3redhat1securityvulns2freebsd1ubuntucve1slackware3cve1suse2ubuntu1