102576 – dev-php/PEAR-XML_RPC round 2 (CAN-2005-2498)

Bug 102576 - dev-php/PEAR-XML_RPC round 2 (CAN-2005-2498)

Summary: dev-php/PEAR-XML_RPC round 2 (CAN-2005-2498)

Status:	RESOLVED FIXED

Alias:	None

Product:	Gentoo Security
Classification:	Unclassified
Component:	Vulnerabilities (show other bugs)
Hardware:	All Linux

Importance:	High major (vote)
Assignee:	Gentoo Security

URL:
Whiteboard:	B1 [glsa] jaervosz
Keywords:

Duplicates (1):	102324 (view as bug list)
Depends on:
Blocks:

Reported:	2005-08-14 21:59 UTC by Sune Kloppenborg Jeppesen (RETIRED)
Modified:	2005-08-24 02:52 UTC (History)
CC List:	2 users (show)

See Also:
Package list:
Runtime testing required:	---

Attachments
pear_xml_rpc_without_eval.tgz (pear_xml_rpc_without_eval.tgz,20.29 KB, application/x-tgz) 2005-08-14 22:00 UTC, Sune Kloppenborg Jeppesen (RETIRED)	no flags	Details
xmlrpc_1_branch.zip (xmlrpc_1_branch.zip,126.53 KB, application/x-zip) 2005-08-14 22:01 UTC, Sune Kloppenborg Jeppesen (RETIRED)	no flags	Details
View All Add an attachment (proposed patch, testcase, etc.)

Note You need to log in before you can comment on or make changes to this bug.

Description Sune Kloppenborg Jeppesen (RETIRED) gentoo-dev

2005-08-14 21:59:03 UTC

Stefan Esser discovered:  
  
a logical error that allows  an attacker to nest XML tags in a way, that a  
single doublequote will be  appended to the eval string. The next string tag  
will add another  doublequote, then the string data and a closing doublequote.  
It should  be obvious that this means the stringdata is not handled as string  
but  as actual code due to this.

Comment 1 Sune Kloppenborg Jeppesen (RETIRED) gentoo-dev

2005-08-14 22:00:17 UTC

Created attachment 65988 [details]
pear_xml_rpc_without_eval.tgz

Patch by Stefan Esser.

Comment 2 Sune Kloppenborg Jeppesen (RETIRED) gentoo-dev

2005-08-14 22:01:10 UTC

Created attachment 65989 [details]
xmlrpc_1_branch.zip

Patch by Stefan Esser.

Comment 3 Sune Kloppenborg Jeppesen (RETIRED) gentoo-dev

2005-08-15 05:57:51 UTC

http://www.hardened-php.net/advisory_142005.66.html 
http://www.hardened-php.net/advisory_152005.67.html

Comment 4 Sune Kloppenborg Jeppesen (RETIRED) gentoo-dev

2005-08-17 09:03:31 UTC

There is an error in the patch: 
 
+ 
+    case 'DATETIME.ISO8601': 
+        $XML_RPC_xh[$parser]['vt'] = $GLOBALS['XML_RPC_DateTime']; 
+       $XML_RPC_xh[$parser]['value'] = base64_decode($XML_RPC_xh[$parser]
['ac']); 
 
the base64_decode() call should not be there.

Comment 5 Thierry Carrez (RETIRED) gentoo-dev

2005-08-18 09:29:54 UTC

*** Bug 102324 has been marked as a duplicate of this bug. ***

Comment 6 Thierry Carrez (RETIRED) gentoo-dev

2005-08-18 09:44:57 UTC

Keeping this bug for PEAR XML-RPC only.

Fixed version is PEAR XML_RPC 1.4.0
http://pear.php.net/get/XML_RPC-1.4.0.tgz

Comment 7 Sebastian Bergmann (RETIRED) gentoo-dev

2005-08-18 10:17:31 UTC

dev-php/PEAR-XML_RPC-1.4.0 is already in the tree and marked stable.

Comment 8 Thierry Carrez (RETIRED) gentoo-dev

2005-08-24 02:52:34 UTC

Thx everyone.
GLSA 200508-13