[isf-wifidog] PHP XML Security issue
Radek Zajkowski
radek.z at engagelearn.com
Mer 6 Juil 07:44:37 EDT 2005
Hi all,
This was posted on Slashdot recently, and since PHP/XML seem to pop up
here you may want to read this:
http://news.netcraft.com/archives/2005/07/04/php_blogging_apps_vulnerable_to_xmlrpc_exploits.html
Radek.
__________________________________________
Many popular PHP-based blogging, wiki and content management programs
can be exploited through a security hole in the way PHP programs handle
XML commands. The flaw allows an attacker to compromise a web server,
and is found in programs including PostNuke
<http://news.postnuke.com/Article2699.html>, WordPress
<http://wordpress.org/development/2005/06/wordpress-1513/>, Drupal
<http://drupal.org/drupal-4.6.2>, Serendipity
<http://blog.s9y.org/archives/36-CRITICAL-BUGFIX-RELEASE-Serendipity-0.8.2.html>,
phpAdsNew <http://phpadsnew.com/two/nucleus/index.php?itemid=45>,
phpWiki <http://sourceforge.net/forum/forum.php?forum_id=478443> and
phpMyFAQ <http://www.phpmyfaq.de/advisory_2005-06-29.php>, among others.
The flaw affects the XML-RPC <http://www.xmlrpc.com/> function, which
has many uses in web applications, including "ping" update notifications
<http://www.masternewmedia.org/news/2004/11/10/increase_visibility_in_blog_and.htm>
for RSS feeds. PHP libraries that allow applications to exchange XML
data using remote procedure calls
<http://www.webopedia.com/TERM/R/RPC.html>(RPC) fail to fully check
incoming data for malicious commands. The affected libraries, including
PHPXMLRPC <http://phpxmlrpc.sourceforge.net/> and Pear XML-RPC
<http://www.php.net/>, are included in many interactive applications
written in PHP.
The XML-RPC flaw
<http://www.gulftech.org/?node=research&article_id=00088-07022005> was
discovered by James Bercegay of GulfTech Security Research. Bercegay
found that the libraries are "vulnerable to a very high risk remote php
code execution vulnerability that may allow for an attacker to
compromise a vulnerable webserver ... By creating an XML file that uses
single quotes to escape into the eval() call an attacker can easily
execute php code on the target server."
Updated copies of the libraries are now available, and immediate
upgrades are recommended. The nature of the flaw poses a dilemma for
site operators on shared hosting services, who may run affected
applications on their sites but not have the ability to update the
server's PHP installation with the secure libraries. Disabling XML-RPC
features is the recommended workaround.
More information about the WiFiDog
mailing list