[isf-wifidog] PHP XML Security issue

Proulx François fproulx at edito.qc.ca
Mer 6 Juil 08:31:44 EDT 2005

We are using PHP5, this only affects PHP4 with XML-RPC ( which we are  
not using at all).

On 6-Jul-2005, at 7:44 , Radek Zajkowski wrote:

> Hi all,
> This was posted on Slashdot recently, and since PHP/XML seem to pop  
> up here you may want to read this:
> http://news.netcraft.com/archives/2005/07/04/ 
> php_blogging_apps_vulnerable_to_xmlrpc_exploits.html
> Radek.
> __________________________________________
> Many popular PHP-based blogging, wiki and content management  
> programs can be exploited through a security hole in the way PHP  
> programs handle XML commands. The flaw allows an attacker to  
> compromise a web server, and is found in programs including  
> PostNuke <http://news.postnuke.com/Article2699.html>, WordPress  
> <http://wordpress.org/development/2005/06/wordpress-1513/>, Drupal  
> <http://drupal.org/drupal-4.6.2>, Serendipity <http://blog.s9y.org/ 
> archives/36-CRITICAL-BUGFIX-RELEASE-Serendipity-0.8.2.html>,  
> phpAdsNew <http://phpadsnew.com/two/nucleus/index.php?itemid=45>,  
> phpWiki <http://sourceforge.net/forum/forum.php?forum_id=478443>  
> and phpMyFAQ <http://www.phpmyfaq.de/advisory_2005-06-29.php>,  
> among others.
> The flaw affects the XML-RPC <http://www.xmlrpc.com/> function,  
> which has many uses in web applications, including "ping" update  
> notifications <http://www.masternewmedia.org/news/2004/11/10/ 
> increase_visibility_in_blog_and.htm> for RSS feeds. PHP libraries  
> that allow applications to exchange XML data using remote procedure  
> calls <http://www.webopedia.com/TERM/R/RPC.html>(RPC) fail to fully  
> check incoming data for malicious commands. The affected libraries,  
> including PHPXMLRPC <http://phpxmlrpc.sourceforge.net/> and Pear  
> XML-RPC <http://www.php.net/>, are included in many interactive  
> applications written in PHP.
> The XML-RPC flaw <http://www.gulftech.org/? 
> node=research&article_id=00088-07022005> was discovered by James  
> Bercegay of GulfTech Security Research. Bercegay found that the  
> libraries are "vulnerable to a very high risk remote php code  
> execution vulnerability that may allow for an attacker to  
> compromise a vulnerable webserver ... By creating an XML file that  
> uses single quotes to escape into the eval() call an attacker can  
> easily execute php code on the target server."
> Updated copies of the libraries are now available, and immediate  
> upgrades are recommended. The nature of the flaw poses a dilemma  
> for site operators on shared hosting services, who may run affected  
> applications on their sites but not have the ability to update the  
> server's PHP installation with the secure libraries. Disabling XML- 
> RPC features is the recommended workaround.
> _______________________________________________
> WiFiDog mailing list
> WiFiDog at listes.ilesansfil.org
> http://listes.ilesansfil.org/cgi-bin/mailman/listinfo/wifidog

More information about the WiFiDog mailing list