FreeBSD VuXML: Documenting security issues in FreeBSD and the FreeBSD Ports Collection

CVE-2005-1921

This CVE name corresponds to:

Entered Topic
2005-08-08 postnuke -- multiple vulnerabilities
2005-07-16 drupal -- PHP code execution vulnerabilities
2005-07-03 pear-XML_RPC -- arbitrary remote code execution

The following information is adapted from the Common Vulnerabilities and Exposures (CVE) project. CVE and the CVE logo are trademarks of The MITRE Corporation. CVE content is Copyright 2005, The MITRE Corporation.

CVE-2005-1921 at cve.mitre.org

Details

Type Candidate
Name CVE-2005-1921
Phase Assigned(20050608)

Description

Eval injection vulnerability in PEAR XML_RPC 1.3.0 and earlier (aka XML-RPC or xmlrpc) and PHPXMLRPC (aka XML-RPC For PHP or php-xmlrpc) 1.1 and earlier, as used in products such as (1) WordPress, (2) Serendipity, (3) Drupal, (4) egroupware, (5) MailWatch, (6) TikiWiki, (7) phpWebSite, (8) Ampache, and others, allows remote attackers to execute arbitrary PHP code via an XML file, which is not properly sanitized before being used in an eval statement.

References

Source Reference
BUGTRAQ 20050629 Advisory 02/2005: Remote code execution in Serendipity
MISC http://pear.php.net/package/XML_RPC/download/1.3.1
MISC http://www.gulftech.org/?node=research&article_id=00087-07012005
MISC http://www.hardened-php.net/advisory-022005.php
CONFIRM http://sourceforge.net/project/shownotes.php?release_id=338803
DEBIAN DSA-745
DEBIAN DSA-747
DEBIAN DSA-789
DEBIAN DSA-746
GENTOO GLSA-200507-01
GENTOO GLSA-200507-06
GENTOO GLSA-200507-07
HP HPSBTU02083
HP SSRT051069
MANDRAKE MDKSA-2005:109
REDHAT RHSA-2005:564
SUSE SUSE-SA:2005:051
BUGTRAQ 20050629 [DRUPAL-SA-2005-003] Drupal 4.6.2 / 4.5.4 fixes critical XML-RPC issue
CONFIRM http://www.drupal.org/security/drupal-sa-2005-003/advisory.txt
CONFIRM http://sourceforge.net/project/showfiles.php?group_id=87163
CONFIRM http://www.ampache.org/announce/3_3_1_2.php
SUSE SUSE-SA:2005:041
SUSE SUSE-SA:2005:049
SUSE SUSE-SR:2005:018
BID 14088
OVAL oval:org.mitre.oval:def:11294
VUPEN ADV-2005-2827
OVAL oval:org.mitre.oval:def:350
SECTRACK 1015336
SECUNIA 15852
SECUNIA 15872
SECUNIA 15944
SECUNIA 15947
SECUNIA 15957
SECUNIA 16001
SECUNIA 18003
SECUNIA 15810
SECUNIA 15855
SECUNIA 15861
SECUNIA 15883
SECUNIA 15884
SECUNIA 15895
SECUNIA 15903
SECUNIA 15904
SECUNIA 15916
SECUNIA 15917
SECUNIA 15922
SECUNIA 16339
SECUNIA 16693
SECUNIA 17440
SECUNIA 17674

Copyright © 2005 The MITRE Corporation.

Copyright © 2003-2005 Jacques Vidrine and contributors.
Please see the source of this document for full copyright information.