[isf-wifidog] PHP XML Security issue

Radek Zajkowski radek.z at engagelearn.com
Mer 6 Juil 07:44:37 EDT 2005

Hi all,

This was posted on Slashdot recently, and since PHP/XML seem to pop up 
here you may want to read this:




Many popular PHP-based blogging, wiki and content management programs 
can be exploited through a security hole in the way PHP programs handle 
XML commands. The flaw allows an attacker to compromise a web server, 
and is found in programs including PostNuke 
<http://news.postnuke.com/Article2699.html>, WordPress 
<http://wordpress.org/development/2005/06/wordpress-1513/>, Drupal 
<http://drupal.org/drupal-4.6.2>, Serendipity 
phpAdsNew <http://phpadsnew.com/two/nucleus/index.php?itemid=45>, 
phpWiki <http://sourceforge.net/forum/forum.php?forum_id=478443> and 
phpMyFAQ <http://www.phpmyfaq.de/advisory_2005-06-29.php>, among others.

The flaw affects the XML-RPC <http://www.xmlrpc.com/> function, which 
has many uses in web applications, including "ping" update notifications 
for RSS feeds. PHP libraries that allow applications to exchange XML 
data using remote procedure calls 
<http://www.webopedia.com/TERM/R/RPC.html>(RPC) fail to fully check 
incoming data for malicious commands. The affected libraries, including 
PHPXMLRPC <http://phpxmlrpc.sourceforge.net/> and Pear XML-RPC 
<http://www.php.net/>, are included in many interactive applications 
written in PHP.

The XML-RPC flaw 
<http://www.gulftech.org/?node=research&article_id=00088-07022005> was 
discovered by James Bercegay of GulfTech Security Research. Bercegay 
found that the libraries are "vulnerable to a very high risk remote php 
code execution vulnerability that may allow for an attacker to 
compromise a vulnerable webserver ... By creating an XML file that uses 
single quotes to escape into the eval() call an attacker can easily 
execute php code on the target server."

Updated copies of the libraries are now available, and immediate 
upgrades are recommended. The nature of the flaw poses a dilemma for 
site operators on shared hosting services, who may run affected 
applications on their sites but not have the ability to update the 
server's PHP installation with the secure libraries. Disabling XML-RPC 
features is the recommended workaround.

More information about the WiFiDog mailing list