OpenBSD VuXML: Documenting security issues in the OpenBSD Ports & Packages Collection

php4-pear -- PHP script injection vulnerability

Affected packages
php4-pear < 4.4.0

Details

VuXML ID b9d96cbe-f2d2-11d9-82d5-00065bd5b0b6
Discovery 2005-07-02
Entry 2005-07-12

James Bercegay of GulfTech Security Research discovered that the PEAR XML-RPC library fails to sanatize input sent using the "POST" method. A remote attacker could exploit this vulnerability to execute arbitrary PHP script code by sending a specially crafted XML document to web applications making use of these libraries.

References

CVE Name CAN-2005-1921
URL http://www.gulftech.org/?node=research&article_id=00088-07022005

Copyright © 2003-2005 Jacques Vidrine, Robert Nagy, and contributors.
Please see the source of this document for full copyright information.