XMLRPC vulnerabilities round 2 - PHP Security Blog

XMLRPC vulnerabilities round 2

Monday, August 15. 2005

Monday, August 15. 2005

While some other people were busy discussing my motives and trying to covince others of my poor intentions, I was busy coordinating and preparing the release of another round of very serious XMLRPC vulnerabilities.

For more detailed information have a look at my advisories for PEAR XML_RPC and PHPXMLRPC.

Please upgrade your PEAR XML_RPC package as soon as possible or prepare to get owned by the next wave of XML_RPC exploits.

Updated packages for Drupal are already out and the other 21 affected applications will follow soon.

Posted by Stefan Esser in Security, PHP at 13:17

Comments (8)

Link to this post

Comments

Display comments as (Linear | Threaded)

#1 Toby wrote (Link) ()

You really do a very good job in PHP security, Stefan. I very much appreciate that!

posted on Monday, August 15. 2005

#2 Gijs ()

Haha,
"Let's call him Mr. E" Mister ExceptionalGoodAuditor

Nice work, I think you're a very good auditor. Wish I was too...

I know some work of your pre your PHP research such as the famous CVS double free().

posted on Monday, August 15. 2005

#3 Kenrick wrote (Link) ()

ah, I think Im glad im still using REST instead of soap and xmlrpc.... Whats so wrong with GET/POST?

posted on Monday, August 15. 2005

#4 Harry Fuecks wrote (Link) ()

Well spotted. Posted this comment (as Anon Coward) to the /. discussion of the first vuln found: http://it.slashdot.org/comments.pl?sid=154824&cid=12983779

"First looking at the diff which patched the exploit here [php.net], all that's basically changed is replacing a single quote with a double quote. That may prevent this specific exploit but the use of eval() is still there and I'm not see any further stringent checks that the incoming input is valid / safe etc. Would not be surprised if there are other ways to "inject" code here."

Good that the eval() is now gone.

posted on Monday, August 15. 2005

#4.1 Jacques Marneweck wrote (Link) ()

What is scary is that lots of newbies want to use eval() without considering the consequences of said usage.

posted on Monday, August 15. 2005

#5 Paul M. Jones wrote (Link) ()

Kicking ass and taking names, as usual -- nicely done.

posted on Monday, August 15. 2005

#6 Ian Holsman wrote (Link) ()

So.
If I don't have PEAR enabled on my machine, does this affect me?
if so .. how do I upgrade?

posted on Monday, August 15. 2005

#6.1 Stefan ()

If you do not have PEAR installed, then it can only affect you if you use one of the many PHP applications (I know of 22) that use PHPXMLRPC or PEAR XML_RPC, because they usually bundle their own versions.

Well if any of the applications you use is affected, you will most probably see a security update on their site within the next 1-2 days. If not, they maybe have atleast a warning.

posted on Monday, August 15. 2005

Add Comment

Name:

Email:

Homepage:

In reply to:

Comment:

Standard emoticons like :-) and ;-) are converted to images.

Remember Information?
Subscribe to this entry

Calendar

Archives

September 2009
August 2009
July 2009
Recent...
Older...

Categories

XML

XML

XML

Syndicate This Blog

XML

RSS 0.91 feed

XML

RSS 1.0 feed

XML

RSS 2.0 feed

ATOM/XML

ATOM 0.3 feed

XML

RSS 2.0 Comments

Protected By

Hardening-Patch for PHP