exploit the possibilities
Home Files News &[SERVICES_TAB]About Contact Add New

Hardened-PHP Project Security Advisory 2005-14.66

Hardened-PHP Project Security Advisory 2005-14.66
Posted Aug 17, 2005
Authored by Stefan Esser, Hardened-PHP Project | Site hardened-php.net

A vulnerability in the PEAR XML-RPC libraries allows injection of arbitrary PHP code into eval() statements. Versions 1.3.3 and below are affected.

tags | advisory, arbitrary, php
advisories | CVE-2005-2498
SHA-256 | 69e67d5d0d2809ee1dd8aab9cb442c8038040d14db81b9435a92088852571ec9

Hardened-PHP Project Security Advisory 2005-14.66

Change Mirror Download

Hash: SHA1

Hardened-PHP Project

-= Security Advisory =-

Advisory: PEAR XML_RPC Remote PHP Code Injection Vulnerability
Release Date: 2005/08/15
Last Modified: 2005/08/15
Author: Stefan Esser [sesser@hardened-php.net]

Application: PEAR XML_RPC <= 1.3.3
Severity: A malformed XMLRPC request can result in execution
of arbitrary injected PHP code
Risk: Critical
Vendor Status: Vendor has released an updated version
References: http://www.hardened-php.net/advisory_142005.66.html


PEAR XML_RPC is the PEAR-ified version of Useful Inc's XML-RPC
for PHP, which is a PHP implementation of the XML-RPC protocol.
It has support for HTTP transport, proxies and authentication.

After Gulftech released their PHP code injection advisory in the
end of June 2005 we sheduled the code for an audit from our side.
Unfortunately we were able to find another vulnerability in the
XML-RPC libraries that allows injection of arbitrary PHP code
into eval() statements.

Unlike the last vulnerability this is not caused by wrongly
implemented escaping of the user input, but by an improper handling
of XMLRPC requests and responses that are malformed in a certain

To get rid of this and future eval() injection vulnerabilities, the
Hardened-PHP Project has developed together with the maintainers
of both libraries a fix that completely eliminates the use of
eval() from the library.


When the library parses XMLRPC requests/repsonses, it constructs
a string of PHP code, that is later evaluated. This means any
failure to properly handle the construction of this string can
result in arbitrary execution of PHP code.

In late June a problem was discovered, that certain XML tags where
using single quotes around embedded user input and single quotes
where not escaped. This allowed a typical injection attack. While
all these escaping problems were believed to be fixed, I was able
to find another problems, that allows injection of arbitrary code.

This new injection vulnerability is cause by not properly handling
the situation, when certain XML tags are nested in the parsed
document, that were never meant to be nested at all. This can be
easily exploited in a way, that user-input is placed outside of
string delimiters within the evaluation string, which obviously
results in arbitrary code execution.

Therefore we have added a XML tag nesting verification into the
code and additionally removed all call to eval(). Therefore the
resulting patch eliminates the current and the possibility for
future eval() holes. Additionally this means from the diff
between a vulnerable and a not vulnerable version it is not
possible to find the position of the flaw easily.

CVE Information:

The Common Vulnerabilities and Exposures project (cve.mitre.org)
has assigned the name CAN-2005-2498 to this vulnerability.

Proof of Concept:

The Hardened-PHP Project is not going to release an exploit for
this vulnerability to the public.

Disclosure Timeline:

22. July 2005 - Contact with both library vendors established.
Issue is discussed and a patch that eliminates
the use of eval() is developed, improved and
12. August 2005 - Affected applications are contacted and asked
for beta test of the patches.
14. August 2005 - Vendors release bugfixed versions, after
information about this vulnerability leaked
through one of the affected applications to
the public.
15. August 2005 - Public disclosure


We strongly recommend to upgrade to the vendor supplied new
version, that completely eliminates all calls to eval().


You can also upgrade XML_RPC with the pear commandline client,
but because this uses a XML_RPC connection to retrieve the data
it is not recommended.



pub 1024D/0A864AA1 2004-04-17 Hardened-PHP Signature Key
Key fingerprint = 066F A6D0 E57E 9936 9082 7E52 4439 14CC 0A86 4AA1

Copyright 2005 Stefan Esser / Hardened-PHP Project. All rights reserved.

Version: GnuPG v1.0.6 (GNU/Linux)
Comment: For info see http://www.gnupg.org


Login or Register to add favorites

File Archive:

September 2022

  • Su
  • Mo
  • Tu
  • We
  • Th
  • Fr
  • Sa
  • 1
    Sep 1st
    23 Files
  • 2
    Sep 2nd
    12 Files
  • 3
    Sep 3rd
    0 Files
  • 4
    Sep 4th
    0 Files
  • 5
    Sep 5th
    10 Files
  • 6
    Sep 6th
    8 Files
  • 7
    Sep 7th
    30 Files
  • 8
    Sep 8th
    14 Files
  • 9
    Sep 9th
    26 Files
  • 10
    Sep 10th
    0 Files
  • 11
    Sep 11th
    0 Files
  • 12
    Sep 12th
    5 Files
  • 13
    Sep 13th
    28 Files
  • 14
    Sep 14th
    15 Files
  • 15
    Sep 15th
    17 Files
  • 16
    Sep 16th
    9 Files
  • 17
    Sep 17th
    0 Files
  • 18
    Sep 18th
    0 Files
  • 19
    Sep 19th
    12 Files
  • 20
    Sep 20th
    15 Files
  • 21
    Sep 21st
    20 Files
  • 22
    Sep 22nd
    13 Files
  • 23
    Sep 23rd
    12 Files
  • 24
    Sep 24th
    0 Files
  • 25
    Sep 25th
    0 Files
  • 26
    Sep 26th
    0 Files
  • 27
    Sep 27th
    0 Files
  • 28
    Sep 28th
    0 Files
  • 29
    Sep 29th
    0 Files
  • 30
    Sep 30th
    0 Files

Top Authors In Last 30 Days

File Tags


packet storm

© 2022 Packet Storm. All rights reserved.

Hosting By