FreeBSD VuXML: Documenting security issues in FreeBSD and the FreeBSD Ports Collection

pear-XML_RPC -- remote PHP code injection vulnerability

Affected packages
pear-XML_RPC < 1.4.0
phpmyfaq < 1.4.11
drupal < 4.6.3
eGroupWare < 1.0.0.009
phpAdsNew < 2.0.5
phpgroupware < 0.9.16.007
b2evolution < 0.9.0.12_2

Details

VuXML ID e65ad1bf-0d8b-11da-90d0-00304823c0d3
Discovery 2005-08-15
Entry 2005-08-15
Modified 2005-09-04

A Hardened-PHP Project Security Advisory reports:

When the library parses XMLRPC requests/responses, it constructs a string of PHP code, that is later evaluated. This means any failure to properly handle the construction of this string can result in arbitrary execution of PHP code.

This new injection vulnerability is cause by not properly handling the situation, when certain XML tags are nested in the parsed document, that were never meant to be nested at all. This can be easily exploited in a way, that user-input is placed outside of string delimiters within the evaluation string, which obviously results in arbitrary code execution.

Note that several applications contains an embedded version on XML_RPC, therefor making them the vulnerable to the same code injection vulnerability.

References

CVE Name CVE-2005-2498
URL http://b2evolution.net/news/2005/08/31/fix_for_xml_rpc_vulnerability_again_1
URL http://downloads.phpgroupware.org/changelog
URL http://drupal.org/files/sa-2005-004/advisory.txt
URL http://phpadsnew.com/two/nucleus/index.php?itemid=45
URL http://sourceforge.net/project/shownotes.php?release_id=349626
URL http://www.hardened-php.net/advisory_142005.66.html
URL http://www.hardened-php.net/advisory_152005.67.html
URL http://www.phpmyfaq.de/advisory_2005-08-15.php