Eval injection vulnerability in PEAR XML_RPC 1.3.0 and earlier (aka XML-RPC or xmlrpc) and PHPXMLRPC (aka XML-RPC For PHP or php-xmlrpc) 1.1 and earlier, as used in products such as (1) WordPress, (2) Serendipity, (3) Drupal, (4) egroupware, (5) MailWatch, (6) TikiWiki, (7) phpWebSite, (8) Ampache, and others, allows remote attackers to execute arbitrary PHP code via an XML file, which is not properly sanitized before being used in an eval statement.

Updated PHP packages that fix two security issues are now available.

This update has been rated as having important security impact by the Red Hat Security Response Team.

PHP is an HTML-embedded scripting language commonly used with the Apache HTTP Web server.

A bug was discovered in the PEAR XML-RPC Server package included in PHP. If a PHP script is used which implements an XML-RPC Server using the PEAR XML-RPC package, then it is possible for a remote attacker to construct an XML-RPC request which can cause PHP to execute arbitrary PHP commands as the 'apache' user. The Common Vulnerabilities and Exposures project (cve.mitre.org) has assigned the name CVE-2005-1921 to this issue.

When using the default SELinux 'targeted' policy on Red Hat Enterprise Linux 4, the impact of this issue is reduced since the scripts executed by PHP are constrained within the httpd_sys_script_t security context.

A race condition in temporary file handling was discovered in the shtool script installed by PHP. If a third-party PHP module which uses shtool was compiled as root, a local user may be able to modify arbitrary files. The Common Vulnerabilities and Exposures project (cve.mitre.org) has assigned the name CVE-2005-1751 to this issue.

Users of PHP should upgrade to these updated packages, which contain backported fixes for these issues.

Postnuke Security Announcementss reports of the following vulnerabilities :

- missing input validation within /modules/Messages/readpmsg.php

- possible path disclosure within /user.php

- possible path disclosure within /modules/News/article.php

- possible remote code injection within /includes/pnMod.php

- possible cross-site-scripting in /index.php

- remote code injection via xml rpc library

A remote code execution vulnerability has been discovered in the XMLRPC module of the PEAR (PHP Extension and Application Repository) extension of PHP. By sending specially crafted XMLRPC requests to an affected web server, a remote attacker could exploit this to execute arbitrary code with the web server's privileges.

In Ubuntu 5.04 (Hoary Hedgehog), the PEAR extension is unsupported (it is contained in the php4-universe package which is part of universe).
However, since this is a highly critical vulnerability, that package was fixed as well.

Please note that many applications contain a copy of the affected XMLRPC code, which must be fixed separately. The following packages may also be affected, but are unsupported in Ubuntu :

  - drupal - wordpress - phpwiki - horde3 - ewiki -     egroupware - phpgroupware

These packages might be fixed by the community later.

The following common third-party applications are affected as well, but not packaged for Ubuntu :

  - Serendipity - Postnuke - tikiwiki - phpwebsite

If you run any affected software, please upgrade them as soon as possible to protect your server.

Note that Tenable Network Security has extracted the preceding description block directly from the Ubuntu security advisory. Tenable has attempted to automatically clean and format it as much as possible without introducing additional issues.

The remote host appears to be running phpAdsNew, an open source ad server written in PHP. 

The version of phpAdsNew installed on the remote host allows attackers to execute arbitrary PHP code subject to the privileges of the web server user id due to a flaw in its bundled XML-RPC library.

Several security related problems have been found in PHP4, the server-side, HTML-embedded scripting language. The Common Vulnerabilities and Exposures project identifies the following problems :

  - CAN-2005-1751     Eric Romang discovered insecure temporary files in the     shtool utility shipped with PHP that can exploited by a     local attacker to overwrite arbitrary files. Only this     vulnerability affects packages in oldstable.

  - CAN-2005-1921

    GulfTech has discovered that PEAR XML_RPC is vulnerable     to a remote PHP code execution vulnerability that may     allow an attacker to compromise a vulnerable server.

  - CAN-2005-2498

    Stefan Esser discovered another vulnerability in the     XML-RPC libraries that allows injection of arbitrary PHP     code into eval() statements.

Kuba Zygmunt discovered a flaw in the input validation routines of Drupal's filter mechanism. An attacker could execute arbitrary PHP code on a target site when public comments or postings are allowed.

The remote host is affected by the vulnerability described in GLSA-200507-15 (PHP: Script injection through XML-RPC)

    James Bercegay has discovered that the XML-RPC implementation in     PHP fails to sanitize input passed in an XML document, which is used in     an 'eval()' statement.
  Impact :

    A remote attacker could exploit the XML-RPC vulnerability to     execute arbitrary PHP script code by sending specially crafted XML data     to applications making use of this XML-RPC implementation.
  Workaround :

    There is no known workaround at this time.

A vulnerability had been identified in the xmlrpc library included with phpgroupware, a web-based application including email, calendar and other groupware functionality. This vulnerability could lead to the execution of arbitrary commands on the server running phpgroupware.

The security team is continuing to investigate the version of phpgroupware included with the old stable distribution (woody). At this time we recommend disabling phpgroupware or upgrading to the current stable distribution (sarge).

GulfTech Security Research Team reports :

PEAR XML_RPC is vulnerable to a very high risk php code injection vulnerability due to unsanatized data being passed into an eval() call.

New PHP packages are available for Slackware 8.1, 9.0, 9.1, 10.0, 10.1, and -current to fix a security issue with the PEAR XML_RPC class that allows a remote attacker to run arbitrary PHP code. Sites that make use of this PHP library should upgrade to the new PHP package right away, or may instead upgrade the XML_RPC PEAR class with the following command: pear upgrade XML_RPC

The remote host is affected by the vulnerability described in GLSA-200507-08 (phpGroupWare, eGroupWare: PHP script injection vulnerability)

    The XML-RPC implementations of phpGroupWare and eGroupWare fail to     sanitize input sent to the XML-RPC server using the 'POST' method.
  Impact :

    A remote attacker could exploit the XML-RPC vulnerability to     execute arbitrary PHP script code by sending specially crafted XML data     to the XML-RPC servers of phpGroupWare or eGroupWare.
  Workaround :

    There are no known workarounds at this time.

A vulnerability has been identified in the xmlrpc library included in the egroupware package. This vulnerability could lead to the execution of arbitrary commands on the server running egroupware.

The old stable distribution (woody) did not include egroupware.

The remote host is affected by the vulnerability described in GLSA-200507-07 (phpWebSite: Multiple vulnerabilities)

    phpWebSite fails to sanitize input sent to the XML-RPC server     using the 'POST' method. Other unspecified vulnerabilities have been     discovered by Diabolic Crab of Hackers Center.
  Impact :

    A remote attacker could exploit the XML-RPC vulnerability to     execute arbitrary PHP script code by sending specially crafted XML data     to phpWebSite. The undisclosed vulnerabilities do have an unknown     impact.
  Workaround :

    There is no known workaround at this time.

Two input validation errors were discovered in drupal and its bundled xmlrpc module. These errors can lead to the execution of arbitrary commands on the web server running drupal.

drupal was not included in the old stable distribution (woody).

The remote Redhat Enterprise Linux 4 host has packages installed that are affected by multiple vulnerabilities as referenced in the RHSA-2005:564 advisory.

    PHP is an HTML-embedded scripting language commonly used with the Apache     HTTP Web server.

    A bug was discovered in the PEAR XML-RPC Server package included in PHP.
    If a PHP script is used which implements an XML-RPC Server using the PEAR     XML-RPC package, then it is possible for a remote attacker to construct an     XML-RPC request which can cause PHP to execute arbitrary PHP commands as     the 'apache' user. The Common Vulnerabilities and Exposures project     (cve.mitre.org) has assigned the name CAN-2005-1921 to this issue.

    When using the default SELinux targeted policy on Red Hat Enterprise     Linux 4, the impact of this issue is reduced since the scripts executed by     PHP are constrained within the httpd_sys_script_t security context.

    A race condition in temporary file handling was discovered in the shtool     script installed by PHP.  If a third-party PHP module which uses shtool was     compiled as root, a local user may be able to modify arbitrary files.
    The Common Vulnerabilities and Exposures project (cve.mitre.org) has     assigned the name CAN-2005-1751 to this issue.

    Users of PHP should upgrade to these updated packages, which contain     backported fixes for these issues.

Tenable has extracted the preceding description block directly from the Red Hat Enterprise Linux security advisory.

Note that Nessus has not tested for these issues but has instead relied only on the application's self-reported version number.

The remote host is affected by the vulnerability described in GLSA-200507-06 (TikiWiki: Arbitrary command execution through XML-RPC)

    TikiWiki is vulnerable to arbitrary command execution as described     in GLSA 200507-01.
  Impact :

    A remote attacker could exploit this vulnerability to execute     arbitrary PHP code by sending specially crafted XML data.
  Workaround :

    There is no known workaround at this time.

The version of Drupal running on the remote web server allows attackers to execute arbitrary PHP code due to a flaw in its bundled XML-RPC library.

This update includes the PEAR XML_RPC 1.3.1 package, which fixes a security issue in the XML_RPC server implementation. The Common Vulnerabilities and Exposures project (cve.mitre.org) has assigned the name CVE-2005-1921 to this issue.

The bundled version of shtool is also updated, to fix some temporary file handling races. The Common Vulnerabilities and Exposures project (cve.mitre.org) has assigned the name CVE-2005-1751 to this issue.

Bug fixes for the dom, ldap, and gd extensions are also included in this update.

Note that Tenable Network Security has extracted the preceding description block directly from the Fedora security advisory. Tenable has attempted to automatically clean and format it as much as possible without introducing additional issues.

This update includes the PEAR XML_RPC 1.3.1 package, which fixes a security issue in the XML_RPC server implementation. The Common Vulnerabilities and Exposures project (cve.mitre.org) has assigned the name CVE-2005-1921 to this issue.

The bundled version of shtool is also updated, to fix some temporary file handling races. The Common Vulnerabilities and Exposures project (cve.mitre.org) has assigned the name CVE-2005-1751 to this issue.

Note that Tenable Network Security has extracted the preceding description block directly from the Fedora security advisory. Tenable has attempted to automatically clean and format it as much as possible without introducing additional issues.

The remote host is affected by the vulnerability described in GLSA-200507-02 (WordPress: Multiple vulnerabilities)

    James Bercegay of the GulfTech Security Research Team discovered     that WordPress insufficiently checks data passed to the XML-RPC server.
    He also discovered that WordPress has several cross-site scripting and     full path disclosure vulnerabilities.
  Impact :

    An attacker could use the PHP script injection vulnerabilities to     execute arbitrary PHP script commands. Furthermore the cross-site     scripting vulnerabilities could be exploited to execute arbitrary     script code in a user's browser session in context of a vulnerable     site.
  Workaround :

    There are no known workarounds at this time.

The remote host is affected by the vulnerability described in GLSA-200507-01 (PEAR XML-RPC, phpxmlrpc: PHP script injection vulnerability)

    James Bercegay of GulfTech Security Research discovered that the     PEAR XML-RPC and phpxmlrpc libraries fail to sanatize input sent using     the 'POST' method.
  Impact :

    A remote attacker could exploit this vulnerability to execute     arbitrary PHP script code by sending a specially crafted XML document     to web applications making use of these libraries.
  Workaround :

    There are no known workarounds at this time.

The version of Serendipity installed on the remote host is prone to remote code execution due to a failure of its bundled XML-RPC library to sanitize user-supplied input to the 'serendipity_xmlrpc.php' script.  This flaw may allow attackers to execute code remotely subject to the privileges of the web server userid.

A vulnerability was discovered by GulfTech Security in the PHP XML RPC project. This vulnerability is considered critical and can lead to remote code execution. The vulnerability also exists in the PEAR XMLRPC implementation.

Mandriva ships with the PEAR XMLRPC implementation and it has been patched to correct this problem. It is advised that users examine the PHP applications they have installed on their servers for any applications that may come bundled with their own copies of the PEAR system and either patch RPC.php or use the system PEAR (found in /usr/share/pear).

Updates have been released for some popular PHP applications such as WordPress and Serendipity and users are urged to take all precautions to protect their systems from attack and/or defacement by upgrading their applications from the authors of the respective applications.

ID	Name	Product	Family	Severity
21841	CentOS 3 / 4 : php (CESA-2005:564)	Nessus	CentOS Local Security Checks	high
21379	FreeBSD : postnuke -- multiple vulnerabilities (0274a9f1-0759-11da-bc08-0001020eed82)	Nessus	FreeBSD Local Security Checks	high
20541	Ubuntu 4.10 / 5.04 : php4, php4-universe vulnerability (USN-147-1)	Nessus	Ubuntu Local Security Checks	high
20180	phpAdsNew XML-RPC Library Remote Code Injection	Nessus	CGI abuses	high
19532	Debian DSA-789-1 : php4 - several vulnerabilities	Nessus	Debian Local Security Checks	high
19359	FreeBSD : drupal -- PHP code execution vulnerabilities (f241641e-f5ea-11d9-a6db-000d608ed240)	Nessus	FreeBSD Local Security Checks	high
19211	GLSA-200507-15 : PHP: Script injection through XML-RPC	Nessus	Gentoo Local Security Checks	high
19195	Debian DSA-746-1 : phpgroupware - input validation error	Nessus	Debian Local Security Checks	high
18933	FreeBSD : pear-XML_RPC -- arbitrary remote code execution (523fad14-eb9d-11d9-a8bd-000cf18bbe54)	Nessus	FreeBSD Local Security Checks	high
18805	Slackware 10.0 / 10.1 / 8.1 / 9.0 / 9.1 / current : PHP (SSA:2005-192-01)	Nessus	Slackware Local Security Checks	high
18666	GLSA-200507-08 : phpGroupWare, eGroupWare: PHP script injection vulnerability	Nessus	Gentoo Local Security Checks	high
18662	Debian DSA-747-1 : egroupware - input validation error	Nessus	Debian Local Security Checks	high
18656	GLSA-200507-07 : phpWebSite: Multiple vulnerabilities	Nessus	Gentoo Local Security Checks	high
18655	Debian DSA-745-1 : drupal - input validation errors	Nessus	Debian Local Security Checks	high
18648	RHEL 4 : php (RHSA-2005:564)	Nessus	Red Hat Local Security Checks	critical
18647	GLSA-200507-06 : TikiWiki: Arbitrary command execution through XML-RPC	Nessus	Gentoo Local Security Checks	high
18640	Drupal XML-RPC for PHP Remote Code Injection	Nessus	CGI abuses	high
18625	Fedora Core 4 : php-5.0.4-10.3 (2005-518)	Nessus	Fedora Local Security Checks	high
18624	Fedora Core 3 : php-4.3.11-2.6 (2005-517)	Nessus	Fedora Local Security Checks	high
18606	GLSA-200507-02 : WordPress: Multiple vulnerabilities	Nessus	Gentoo Local Security Checks	high
18605	GLSA-200507-01 : PEAR XML-RPC, phpxmlrpc: PHP script injection vulnerability	Nessus	Gentoo Local Security Checks	high
18600	Serendipity XML-RPC for PHP Remote Code Injection	Nessus	CGI abuses	high
18597	Mandrake Linux Security Advisory : php-pear (MDKSA-2005:109)	Nessus	Mandriva Local Security Checks	high

Detections

Analytics

CVE-2005-1921

critical

Tenable Plugins

high

high

high

high

high

high

high

high

high

high

high

high

high

high

critical

high

high

high

high

high

high

high

high