PEAR XML_RPC 1.3.1 have been just released to fix a security bug.
PEAR XML_RPC is vulnerable to a very high risk php code injection vulnerability
due to unsanatized data being passed into an eval() call. Let us have a look at
the code that allows the vulnerability to present itself.
// decompose incoming XML into request structure
xml_parser_set_option($parser_resource, XML_OPTION_CASE_FOLDING, true);
xml_set_element_handler($parser_resource, ‘XML_RPC_se’, ‘XML_RPC_ee’);
xml_set_character_data_handler($parser_resource, ‘XML_RPC_cd’);
if (!xml_parse($parser_resource, $data, 1)) {
// return XML error as a faultCode
$r = new XML_RPC_Response(0,
$XML_RPC_errxml+xml_get_error_code($parser_resource),
sprintf(’XML error: %s at line %d’,
xml_error_string(xml_get_error_code($parser_resource)),
xml_get_current_line_number($parser_resource)));
xml_parser_free($parser_resource);
} else {
xml_parser_free($parser_resource);
$m = new XML_RPC_Message($XML_RPC_xh[$parser][’method’]);
// now add parameters in
for ($i = 0; $i
$plist .= “$i - ” . $XML_RPC_xh[$parser][’params’][$i] . ” n”;
eval(’$m->addParam(’ . $XML_RPC_xh[$parser][’params’][$i] . ‘);’);
}
XML_RPC_Server_debugmsg($plist);
The for() loop that holds the vulnerable eval() call is used to build
the request from an incoming POST containing an XML document. There is really no type of checks or sanitation done prior to this point, and the fact that
magic_quotes_gpc does not apply makes it that much easier for this issue to be exploited.
The above xml file when posted to the vulnerable server will cause the
phpinfo() function call to be executed on the vulnerable server
Solution PEAR XML_RPC 1.3.1
Tags: No Tags
No Responses
Leave a Response