A serious vulnerability in the PEAR
library and the XML-RPC for PHP
package has been disclosed
. The vulnerability allows unsanitized data to be passed to the
call, which would allow execution of arbitrary PHP code.
The vulnerability was reported by James Bercegay of the GulfTech Security Research Team. Bercegay reports that the
parseRequest() function passes data to
eval() without sanitizing the input first. As a result, a properly-crafted XML file can be used to execute PHP code on the targeted server. Bercegay's advisory gives an example that could be used to execute the relatively harmless
phpinfo() function to be executed on a target server:
<value><name>','')); phpinfo(); exit;/*</name></value>
PEAR's library or the XML-RPC for PHP package are used in a number of PHP-based projects, including WordPress, Drupal, PostNuke, Xaraya, phpGroupWare, Tikiwiki, and many others, which means that there are a lot of vulnerable servers out there. Users of PHP-based blogging applications and other packages that use XML_RPC should check to see if the software is vulnerable and update the package as soon as a new release is available. Some projects, like PostNuke, are advising users to remove the offending code altogether.
PEAR's XML_RPC library is also distributed with many Linux distributions. Most of the vulnerable projects and distributions have announced updated packages, and the PHP project has bundled the new PEAR XML_RPC package in PHP 4.4.0RC2, and a separate release is available on the PEAR site. The final PHP 4.4.0 release is scheduled for July 11. Users can also update the PEAR library by running "
pear upgrade XML_RPC" as root or using sudo. An update of XML-RPC for PHP is also available.
Users should upgrade or take steps to remove the library as soon as possible, as it seems likely that exploits of this vulnerability will begin appearing in the wild soon, if they have not already.
to post comments)