[gentoo-announce] [ GLSA 200508-13 ] PEAR XML-RPC, phpxmlrpc: New PHP script injection vulnerability - gentoo-announce

From:	Thierry Carrez <koon@g.o>
To:	gentoo-announce@l.g.o
Cc:	bugtraq@×××××××××××××.com, full-disclosure@××××××××××××××.uk, security-alerts@×××××××××××××.com
Subject:	[gentoo-announce] [ GLSA 200508-13 ] PEAR XML-RPC, phpxmlrpc: New PHP script injection vulnerability
Date:	Wed, 24 Aug 2005 09:11:27
Message-Id:	`430C362E.3020206@gentoo.org`

1

- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -

2

Gentoo Linux Security Advisory                           GLSA 200508-13

3

- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -

4

                                            http://security.gentoo.org/

5

- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -

6

7

  Severity: High

8

     Title: PEAR XML-RPC, phpxmlrpc: New PHP script injection

9

            vulnerability

10

      Date: August 24, 2005

11

      Bugs: #102378, #102576

12

        ID: 200508-13

13

14

- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -

15

16

Synopsis

17

========

18

19

The PEAR XML-RPC and phpxmlrpc libraries allow remote attackers to

20

execute arbitrary PHP script commands.

21

22

Background

23

==========

24

25

The PEAR XML-RPC and phpxmlrpc libraries are both PHP implementations

26

of the XML-RPC protocol.

27

28

Affected packages

29

=================

30

31

    -------------------------------------------------------------------

32

     Package               /  Vulnerable  /                 Unaffected

33

    -------------------------------------------------------------------

34

  1  dev-php/PEAR-XML_RPC       < 1.4.0                       >= 1.4.0

35

  2  dev-php/phpxmlrpc         < 1.2-r1                      >= 1.2-r1

36

    -------------------------------------------------------------------

37

     2 affected packages on all of their supported architectures.

38

    -------------------------------------------------------------------

39

40

Description

41

===========

42

43

Stefan Esser of the Hardened-PHP Project discovered that the PEAR

44

XML-RPC and phpxmlrpc libraries were improperly handling XMLRPC

45

requests and responses with malformed nested tags.

46

47

Impact

48

======

49

50

A remote attacker could exploit this vulnerability to inject arbitrary

51

PHP script code into eval() statements by sending a specially crafted

52

XML document to web applications making use of these libraries.

53

54

Workaround

55

==========

56

57

There are no known workarounds at this time.

58

59

Resolution

60

==========

61

62

All PEAR-XML_RPC users should upgrade to the latest available version:

63

64

    # emerge --sync

65

    # emerge --ask --oneshot --verbose ">=dev-php/PEAR-XML_RPC-1.4.0"

66

67

All phpxmlrpc users should upgrade to the latest available version:

68

69

    # emerge --sync

70

    # emerge --ask --oneshot --verbose ">=dev-php/phpxmlrpc-1.2-r1"

71

72

References

73

==========

74

75

  [ 1 ] CAN-2005-2498

76

        http://cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-2005-2498

77

  [ 2 ] Hardened-PHP 14/2005 Advisory

78

        http://www.hardened-php.net/advisory_142005.66.html

79

  [ 3 ] Hardened-PHP 15/2005 Advisory

80

        http://www.hardened-php.net/advisory_152005.67.html

81

82

Availability

83

============

84

85

This GLSA and any updates to it are available for viewing at

86

the Gentoo Security Website:

87

88

  http://security.gentoo.org/glsa/glsa-200508-13.xml

89

90

Concerns?

91

=========

92

93

Security is a primary focus of Gentoo Linux and ensuring the

94

confidentiality and security of our users machines is of utmost

95

importance to us. Any security concerns should be addressed to

96

security@g.o or alternatively, you may file a bug at

97

http://bugs.gentoo.org.

98

99

License

100

=======

101

102

Copyright 2005 Gentoo Foundation, Inc; referenced text

103

belongs to its owner(s).

104

105

The contents of this document are licensed under the

106

Creative Commons - Attribution / Share Alike license.

107

108

http://creativecommons.org/licenses/by-sa/2.0

Gentoo Archives: gentoo-announce

Attachments

1	- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
2	Gentoo Linux Security Advisory GLSA 200508-13
3	- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
4	http://security.gentoo.org/
5	- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
6
7	Severity: High
8	Title: PEAR XML-RPC, phpxmlrpc: New PHP script injection
9	vulnerability
10	Date: August 24, 2005
11	Bugs: #102378, #102576
12	ID: 200508-13
13
14	- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
15
16	Synopsis
17	========
18
19	The PEAR XML-RPC and phpxmlrpc libraries allow remote attackers to
20	execute arbitrary PHP script commands.
21
22	Background
23	==========
24
25	The PEAR XML-RPC and phpxmlrpc libraries are both PHP implementations
26	of the XML-RPC protocol.
27
28	Affected packages
29	=================
30
31	-------------------------------------------------------------------
32	Package / Vulnerable / Unaffected
33	-------------------------------------------------------------------
34	1 dev-php/PEAR-XML_RPC < 1.4.0 >= 1.4.0
35	2 dev-php/phpxmlrpc < 1.2-r1 >= 1.2-r1
36	-------------------------------------------------------------------
37	2 affected packages on all of their supported architectures.
38	-------------------------------------------------------------------
39
40	Description
41	===========
42
43	Stefan Esser of the Hardened-PHP Project discovered that the PEAR
44	XML-RPC and phpxmlrpc libraries were improperly handling XMLRPC
45	requests and responses with malformed nested tags.
46
47	Impact
48	======
49
50	A remote attacker could exploit this vulnerability to inject arbitrary
51	PHP script code into eval() statements by sending a specially crafted
52	XML document to web applications making use of these libraries.
53
54	Workaround
55	==========
56
57	There are no known workarounds at this time.
58
59	Resolution
60	==========
61
62	All PEAR-XML_RPC users should upgrade to the latest available version:
63
64	# emerge --sync
65	# emerge --ask --oneshot --verbose ">=dev-php/PEAR-XML_RPC-1.4.0"
66
67	All phpxmlrpc users should upgrade to the latest available version:
68
69	# emerge --sync
70	# emerge --ask --oneshot --verbose ">=dev-php/phpxmlrpc-1.2-r1"
71
72	References
73	==========
74
75	[ 1 ] CAN-2005-2498
76	http://cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-2005-2498
77	[ 2 ] Hardened-PHP 14/2005 Advisory
78	http://www.hardened-php.net/advisory_142005.66.html
79	[ 3 ] Hardened-PHP 15/2005 Advisory
80	http://www.hardened-php.net/advisory_152005.67.html
81
82	Availability
83	============
84
85	This GLSA and any updates to it are available for viewing at
86	the Gentoo Security Website:
87
88	http://security.gentoo.org/glsa/glsa-200508-13.xml
89
90	Concerns?
91	=========
92
93	Security is a primary focus of Gentoo Linux and ensuring the
94	confidentiality and security of our users machines is of utmost
95	importance to us. Any security concerns should be addressed to
96	security@g.o or alternatively, you may file a bug at
97	http://bugs.gentoo.org.
98
99	License
100	=======
101
102	Copyright 2005 Gentoo Foundation, Inc; referenced text
103	belongs to its owner(s).
104
105	The contents of this document are licensed under the
106	Creative Commons - Attribution / Share Alike license.
107
108	http://creativecommons.org/licenses/by-sa/2.0