Vulnerability Note VU#442845

Multiple PHP XML-RPC implementations vulnerable to code injection

Original Release date: 06 Jul 2005 | Last revised: 09 Mar 2007

Overview

A vulnerability in a common PHP extension module could allow a remote attacker to execute code on a vulnerable system.

Description

XML-RPC is a specification and a set of implementations that allow software running on disparate operating systems and in different environments to make procedure calls over the Internet. XML-RPC uses HTTP for the transport protocol and XML for the data encoding. Several independent implementations of XML-RPC exist for PHP applications.

A common flaw in the way that several XML-RPC PHP implementations pass unsanitized user input to eval() within the XML-RPC server results in a vulnerability that could allow a remote attacker to execute code on a vulnerable system. An attacker with the ability to upload a crafted XML file could insert PHP code that would then be executed by the web application using the vulnerable XML-RPC code.

Impact

Remote attackers may be able to execute PHP code of their choosing on a vulnerable system. The code would be executed in the context of the server program that runs the corresponding web application. Secondary impacts of a compromised web service account include, but are not limited to, malicious modification of web site data, information disclosure, and access that may be leveraged to gain additional system privileges.

Solution

Upgrade or apply a patch

Various vendors have published patches and updated versions of their software to address this issue. Please see the Systems Affected section of this document for information on a specific product or vendor.

Note that because the vulnerability exists in a common extension module, any application that uses the flawed code, including custom applications, may expose the vulnerability. Developers that bundle their own versions of the XML-RPC library with their application should exercise extra care to evaluate their own potential use of the vulnerable code.

Systems Affected (Learn More)

VendorStatusDate NotifiedDate Updated
DrupalAffected-06 Jul 2005
Gentoo LinuxAffected-08 Jul 2005
Mandriva, Inc.Affected-06 Jul 2005
PEAR XML-RPCAffected-06 Jul 2005
phpMyFAQAffected-06 Jul 2005
PHPXMLRPCAffected-06 Jul 2005
PostNukeAffected-06 Jul 2005
Red Hat, Inc.Affected-22 Dec 2005
SerendipityAffected-08 Jul 2005
Trustix Secure LinuxAffected-06 Jul 2005
Ubuntu LinuxAffected-08 Jul 2005
WordPressAffected-06 Jul 2005
XOOPSAffected-06 Jul 2005
If you are a vendor and your product is affected, let us know.

CVSS Metrics (Learn More)

Group Score Vector
Base N/A N/A
Temporal N/A N/A
Environmental N/A N/A

References

Credit

James Bercegay of the GulfTech Security Research Team reported this issue.

This document was written by Chad R Dougherty.

Other Information

  • CVE IDs: CVE-2005-1921
  • Date Public: 29 Jun 2005
  • Date First Published: 06 Jul 2005
  • Date Last Updated: 09 Mar 2007
  • Severity Metric: 20.75
  • Document Revision: 63

Feedback

If you have feedback, comments, or additional information about this vulnerability, please send us email.