PHP XML-RPC flaw discovered
Posted on July 4, 2005
Filed Under /dev/null/ | 198 views |
A fairly serious flaw in the PHP XML-RPC function has been discovered:
The flaw affects the XML-RPC function, which has many uses in web applications, including “ping” update notifications for RSS feeds. PHP libraries that allow applications to exchange XML data using remote procedure calls(RPC) fail to fully check incoming data for malicious commands. The affected libraries, including PHPXMLRPC and Pear XML-RPC, are included in many interactive applications written in PHP.
- Netcraft
Gulftech has technical details and exploit code: PHPXMLRPC Library Remote Code Execution.
In a nutshell: using single quotes to escape PHP code inside of an XML file that gets run through the eval() function doesn’t get escaped since $HTTP_RAW_POST_DATA isn’t affected by the magic_quotes_gpc setting.