Attention Jaguar PC: PEAR XML_RPC Vulnerability and PHP 4.4.0RC2 release

**Vin DSL** · 07-05-2005, 02:44 PM

JagPC, et al, please note...

Many popular PHP-based blogging, wiki and content management programs can be exploited through a security hole in the way PHP programs handle XML commands. The flaw allows an attacker to compromise a web server, and is found in programs including PostNuke, WordPress, Drupal, Serendipity, phpAdsNew, phpWiki and phpMyFAQ, among others.

The flaw affects the XML-RPC function, which has many uses in web applications, including "ping" update notifications for RSS feeds. PHP libraries that allow applications to exchange XML data using remote procedure calls(RPC) fail to fully check incoming data for malicious commands. The affected libraries, including PHPXMLRPC and Pear XML-RPC, are included in many interactive applications written in PHP.

The XML-RPC flaw was discovered by James Bercegay of GulfTech Security Research. Bercegay found that the libraries are "vulnerable to a very high risk remote php code execution vulnerability that may allow for an attacker to compromise a vulnerable webserver ... By creating an XML file that uses single quotes to escape into the eval() call an attacker can easily execute php code on the target server."

Updated copies of the libraries are now available, and immediate upgrades are recommended. The nature of the flaw poses a dilemma for site operators on shared hosting services, who may run affected applications on their sites but not have the ability to update the server's PHP installation with the secure libraries. Disabling XML-RPC features is the recommended workaround.

SOURCE: http://news.netcraft.com/archives/20... xploits.html

[01-Jul-2005] An easily exploitable security issue was discovered in PEAR XML_RPC <= 1.3.0. We recommend that users of this PEAR class immediately upgrade to the latest version with:

pear upgrade XML_RPC

The same security problem exists in many other XML RPC implementations, please check if the installed applications that you use might have a similar problem.

The new PEAR XML_RPC package is also bundled with the second release candidation of PHP 4.4.0RC2. Besides this new PEAR package there are two minor issues fixed since PHP 4.4.0RC1. As the improved reference support in PHP 4.4 might show as notices and warnings in your existing applications - in cases where PHP formerly just silently ignored this and often causing memory corruptions - we also recommend to test PHP 4.4.0RC2 with your applications. The final release is planned for July 11th. PHP 4.4.0RC2 can be found here.

SOURCE:http://www.php.net/