{"vuid":"VU#442845","idnumber":"442845","name":"Multiple PHP XML-RPC implementations vulnerable to code injection","keywords":["PHP","remote code execution","XML-RPC","Pear XMLRPC","Lupper"],"overview":"A vulnerability in a common PHP extension module could allow a remote attacker to execute code on a vulnerable system.","clean_desc":"XML-RPC is a specification and a set of implementations that allow software running on disparate operating systems and in different environments to make procedure calls over the Internet. XML-RPC uses HTTP for the transport protocol and XML for the data encoding. Several independent implementations of XML-RPC exist for PHP applications. A common flaw in the way that several XML-RPC PHP implementations pass unsanitized user input to eval() within the XML-RPC server results in a vulnerability that could allow a remote attacker to execute code on a vulnerable system. An attacker with the ability to upload a crafted XML file could insert PHP code that would then be executed by the web application using the vulnerable XML-RPC code.","impact":"Remote attackers may be able to execute PHP code of their choosing on a vulnerable system. The code would be executed in the context of the server program that runs the corresponding web application. Secondary impacts of a compromised web service account include, but are not limited to, malicious modification of web site data, information disclosure, and access that may be leveraged to gain additional system privileges.","resolution":"Upgrade or apply a patch Various vendors have published patches and updated versions of their software to address this issue. Please see the Systems Affected section of this document for information on a specific product or vendor. Note that because the vulnerability exists in a common extension module, any application that uses the flawed code, including custom applications, may expose the vulnerability. Developers who bundle their own versions of the XML-RPC library with their application should exercise extra care to evaluate their own potential use of the vulnerable code.","workarounds":"","sysaffected":"","thanks":"James Bercegay of the \nGulfTech Security Research Team\n reported this issue.","author":"This document was written by Chad R Dougherty.","public":["http://www.hardened-php.net/advisory-022005.php","http://secunia.com/advisories/15861/","http://secunia.com/advisories/15862/","http://secunia.com/advisories/15895/","http://secunia.com/advisories/15884/","http://secunia.com/advisories/15883/","http://news.postnuke.com/modules.php?op=modload&name=News&file=article&sid=2699","http://secunia.com/advisories/15852/","http://secunia.com/advisories/15855/","http://secunia.com/advisories/15810/","http://secunia.com/advisories/15872/","http://secunia.com/advisories/15922/","http://securitytracker.com/alerts/2005/Jun/1014327.html","http://www.gulftech.org/?node=research&article_id=00088-07022005","http://www.gulftech.org/?node=research&article_id=00087-07012005","http://www.securityfocus.com/bid/14088"],"cveids":["CVE-2005-1921"],"certadvisory":"","uscerttechnicalalert":null,"datecreated":"2005-06-29T18:11:44Z","publicdate":"2005-06-29T00:00:00Z","datefirstpublished":"2005-07-06T15:39:28Z","dateupdated":"2007-03-09T15:48:13Z","revision":64,"vrda_d1_directreport":"0","vrda_d1_population":"3","vrda_d1_impact":"2","cam_widelyknown":"20","cam_exploitation":"1","cam_internetinfrastructure":"10","cam_population":"7","cam_impact":"17","cam_easeofexploitation":"15","cam_attackeraccessrequired":"20","cam_scorecurrent":"20.750625","cam_scorecurrentwidelyknown":"20.750625","cam_scorecurrentwidelyknownexploited":"33.46875","ipprotocol":"","cvss_accessvector":"","cvss_accesscomplexity":"","cvss_authentication":null,"cvss_confidentialityimpact":"","cvss_integrityimpact":"","cvss_availabilityimpact":"","cvss_exploitablity":null,"cvss_remediationlevel":"","cvss_reportconfidence":"","cvss_collateraldamagepotential":"","cvss_targetdistribution":"","cvss_securityrequirementscr":"","cvss_securityrequirementsir":"","cvss_securityrequirementsar":"","cvss_basescore":"","cvss_basevector":"","cvss_temporalscore":"","cvss_environmentalscore":"","cvss_environmentalvector":"","metric":20.750625,"vulnote":null}