PEAR XML_RPC Remote PHP Code Injection Vulnerability
Stefan Esser, Hardened-PHP Project, posted today a security alert about XMLRPC.
After Gulftech released their PHP code injection advisory in the end of June 2005 we sheduled the code for an audit from our side. Unfortunately we were able to find another vulnerability in the XML-RPC libraries that allows injection of arbitrary PHP code into eval() statements.
Unlike the last vulnerability this is not caused by wrongly implemented escaping of the user input, but by an improper handling of XMLRPC requests and responses that are malformed in a certain way.
Details :
When the library parses XMLRPC requests/repsonses, it constructs
a string of PHP code, that is later evaluated. This means any
failure to properly handle the construction of this string can
result in arbitrary execution of PHP code.
In late June a problem was discovered, that certain XML tags where
using single quotes around embedded user input and single quotes
where not escaped. This allowed a typical injection attack. While
all these escaping problems were believed to be fixed, I was able
to find another problems, that allows injection of arbitrary code.
This new injection vulnerability is cause by not properly handling
the situation, when certain XML tags are nested in the parsed
document, that were never meant to be nested at all. This can be
easily exploited in a way, that user-input is placed outside of
string delimiters within the evaluation string, which obviously
results in arbitrary code execution.
Therefore we have added a XML tag nesting verification into the
code and additionally removed all call to eval(). Therefore the
resulting patch eliminates the current and the possibility for
future eval() holes. Additionally this means from the diff
between a vulnerable and a not vulnerable version it is not
possible to find the position of the flaw easily.
Its strongly recommanded to upgrade to PEAR XML_RPC 1.4.0
