Published on 2005-08-16 00:28:23

Stefan Esser, Hardened-PHP Project, posted today a security alert about XMLRPC.

After Gulftech released their PHP code injection advisory in the end of June 2005 we sheduled the code for an audit from our side. Unfortunately we were able to find another vulnerability in the XML-RPC libraries that allows injection of arbitrary PHP code into eval() statements.

Unlike the last vulnerability this is not caused by wrongly implemented escaping of the user input, but by an improper handling of XMLRPC requests and responses that are malformed in a certain way.

Read More

• PDO 1.0RC1 call for testing
• PEAR_RemoteInstaller version 0.3.0 released
• Slackware Updates available for PHP/PEAR
• PEAR Election Started

• Advertise on our mobile site!
• [Contact us]

Member of the PHP Magazine Network, Copyright (C) 2005-2009 phpmagazine.net All Rights Reserved