PEAR XML-RPC, phpxmlrpc: PHP script injection vulnerability

PEAR XML-RPC, phpxmlrpc: PHP script injection vulnerability The PEAR XML-RPC and phpxmlrpc libraries allow remote attackers to execute arbitrary PHP script commands. pear-xml_rpc phpxmlrpc 2005-07-03 2005-07-03 97399 97629 remote 1.3.1 1.3.1 1.1.1 1.1.1

The PEAR XML-RPC and phpxmlrpc libraries are both PHP implementations of the XML-RPC protocol.

James Bercegay of GulfTech Security Research discovered that the PEAR XML-RPC and phpxmlrpc libraries fail to sanatize input sent using the "POST" method.

A remote attacker could exploit this vulnerability to execute arbitrary PHP script code by sending a specially crafted XML document to web applications making use of these libraries.

There are no known workarounds at this time.

All PEAR-XML_RPC users should upgrade to the latest available version:


    # emerge --sync
    # emerge --ask --oneshot --verbose ">=dev-php/PEAR-XML_RPC-1.3.1"

All phpxmlrpc users should upgrade to the latest available version:


    # emerge --sync
    # emerge --ask --oneshot --verbose ">=dev-php/phpxmlrpc-1.1.1"

CAN-2005-1921 GulfTech Advisory koon koon DerCorny