Security

PEAR XML_RPC remote code execution vulnerability

A serious vulnerability in the PEAR XML_RPC library and the XML-RPC for PHP package has been disclosed. The vulnerability allows unsanitized data to be passed to the eval() call, which would allow execution of arbitrary PHP code.

The vulnerability was reported by James Bercegay of the GulfTech Security Research Team. Bercegay reports that the parseRequest() function passes data to eval() without sanitizing the input first. As a result, a properly-crafted XML file can be used to execute PHP code on the targeted server. Bercegay's advisory gives an example that could be used to execute the relatively harmless phpinfo() function to be executed on a target server:

<?xml version="1.0"?>
<methodCall>
<methodName>test.method</methodName>
  <params>
    <param>
      <value><name>','')); phpinfo(); exit;/*</name></value>
    </param>
  </params>
</methodCall>

PEAR's library or the XML-RPC for PHP package are used in a number of PHP-based projects, including WordPress, Drupal, PostNuke, Xaraya, phpGroupWare, Tikiwiki, and many others, which means that there are a lot of vulnerable servers out there. Users of PHP-based blogging applications and other packages that use XML_RPC should check to see if the software is vulnerable and update the package as soon as a new release is available. Some projects, like PostNuke, are advising users to remove the offending code altogether.

PEAR's XML_RPC library is also distributed with many Linux distributions. Most of the vulnerable projects and distributions have announced updated packages, and the PHP project has bundled the new PEAR XML_RPC package in PHP 4.4.0RC2, and a separate release is available on the PEAR site. The final PHP 4.4.0 release is scheduled for July 11. Users can also update the PEAR library by running "pear upgrade XML_RPC" as root or using sudo. An update of XML-RPC for PHP is also available.

Users should upgrade or take steps to remove the library as soon as possible, as it seems likely that exploits of this vulnerability will begin appearing in the wild soon, if they have not already.

Comments (2 posted)

crip: insecure temporary files

Package(s):	crip	CVE #(s):	CAN-2005-0393
Created:	June 30, 2005	Updated:	July 6, 2005
Description:	Justin Rye discovered that crip, a terminal-based ripper, encoder and tagger tool, utilizes temporary files in an insecure fashion in its helper scripts.
Alerts:	Debian DSA-733-1 crip 2005-06-30

Comments (none posted)

kernel: multiple vulnerabilities

Package(s):	kernel	CVE #(s):	CAN-2005-1913 CAN-2005-1761
Created:	July 1, 2005	Updated:	September 9, 2005
Description:	Several vulnerabilities in the 2.6 kernel have been fixed, including a subthread exec problem (CAN-2005-1913) and a ia64 ptrace + sigrestore_context problem (CAN-2005-1761).
Alerts:	Ubuntu USN-178-1 kernel 2005-09-09 Red Hat RHSA-2005:551-01 kernel 2005-08-25 SuSE SUSE-SA:2005:044 kernel 2005-08-04 Fedora FEDORA-2005-510 kernel 2005-07-01

Comments (1 posted)

phpbb: arbitrary command execution

Package(s):	phpbb	CVE #(s):
Created:	July 4, 2005	Updated:	July 6, 2005
Description:	Ron van Daal discovered a vulnerability in the PhpBB highlighting code that can allow an attacker to execute arbitrary code with the privileges of the web server.
Alerts:	Gentoo 200507-03 phpbb 2005-07-04

Comments (none posted)

php-pear: remote code execution

Package(s):	php-pear	CVE #(s):	CAN-2005-1921
Created:	July 1, 2005	Updated:	July 29, 2005
Description:	The PEAR XMLRPC implementation has a vulnerability that can be exploited for remote code execution. See this report from GulfTech Security Research. This vulnerability affects a large number of PHP web applications.
Alerts:	Fedora-Legacy FLSA:163559 php 2005-07-28 Conectiva CLA-2005:980 php4 2005-07-14 Gentoo 200507-15 php 2005-07-15 Debian DSA-746-1 phpgroupware 2005-07-13 Slackware SSA:2005-192-02 php 2005-07-12 Slackware SSA:2005-192-01 php 2005-07-12 Gentoo 200507-08 phpgroupware 2005-07-10 Debian DSA-747-1 egroupware 2005-07-10 Gentoo 200507-07 phpwebsite 2005-07-10 Debian DSA-745-1 drupal 2005-07-10 SuSE SUSE-SA:2005:041 php/pear 2005-07-08 Red Hat RHSA-2005:564-01 PHP 2005-07-07 Gentoo 200507-06 tikiwiki 2005-07-06 Ubuntu USN-147-2 USN-147-1 [1] fixed a remote code execution 2005-07-06 Ubuntu USN-147-1 php4, php4-universe 2005-07-05 Fedora FEDORA-2005-518 php 2005-07-05 Fedora FEDORA-2005-517 php 2005-07-05 Gentoo 200507-01 PEAR-XML_RPC 2005-07-03 Mandriva MDKSA-2005:109 php-pear 2005-06-30

Comments (none posted)

zlib: buffer overflow

Package(s):	zlib	CVE #(s):	CAN-2005-2096
Created:	July 6, 2005	Updated:	October 27, 2005
Description:	zlib has a buffer overflow vulnerability that can be exploited by inflation of corrupted files, this can be used to crash zlib or possibly remotely execute code.
Alerts:	Mandriva MDKSA-2005:196 perl-compress-zlib 2005-10-26 Debian DSA-797-2 zsync 2005-09-28 Fedora FEDORA-2005-565 rpm 2005-07-13 Slackware SSA:2005-189-01 zlib 2005-07-10 Trustix TSLSA-2005-0034 net-snmp, 2005-07-08 Mandriva MDKSA-2005:112 zlib 2005-07-06 Fedora FEDORA-2005-523 zlib 2005-07-07 Fedora FEDORA-2005-524 zlib 2005-07-07 OpenPKG OpenPKG-SA-2005.013 zlib 2005-07-07 Ubuntu USN-148-1 zlib 2005-07-06 SuSE SUSE-SA:2005:039 zlib 2005-07-06 Red Hat RHSA-2005:569-01 Zlib 2005-07-06 Gentoo 200507-05 zlib 2005-07-06 Debian DSA-740-1 zlib 2005-07-06

Comments (6 posted)

Linux Advisory Watch - July 1st 2005

The Linux Advisory Watch for July 1, 2005 is out, with articles on Linux File & Directory Permissions Mistakes, Measuring Security IT Success, Getting to Know Linux Security: File Permissions, The Tao of Network Security Monitoring: Beyond Intrusion Detection, and other news.

Full Story (comments: none)

Linux Security Week - July 4th 2005

The Linux Advisory Watch for July 4, 2005 is out. Articles include Review: The Book of Postfix: State-of-the-Art Message Transport, Introduction: Buffer Overflow Vulnerabilities, Getting to Know Linux Security: File Permissions, and more.

Full Story (comments: none)