Bug List: (This bug is not in your last search results)   Show last search results      Search page      Enter new bug
Bug#: 102576
Alias:
Product:
Component:
Status: RESOLVED
Resolution: FIXED
Assigned To: Gentoo Security <security@gentoo.org>
Hardware:
OS:
Version:
Priority:
Severity:
Reporter: Sune Kloppenborg Jeppesen <jaervosz@gentoo.org>
Add CC:
CC:
Remove selected CCs
URL:
Summary:
Status Whiteboard:
Keywords:
Flags: Requestee:
 
 
  ()

Filename Description Type Creator Created Size Actions
pear_xml_rpc_without_eval.tgz pear_xml_rpc_without_eval.tgz application/x-tgz Sune Kloppenborg Jeppesen 2005-08-14 22:00 0000 20.29 KB Details
xmlrpc_1_branch.zip xmlrpc_1_branch.zip application/x-zip Sune Kloppenborg Jeppesen 2005-08-14 22:01 0000 126.53 KB Details
Create a New Attachment (proposed patch, testcase, etc.) View All

Bug 102576 depends on: Show dependency tree
Bug 102576 blocks:

Additional Comments: (this is where you put emerge --info)


Not eligible to see or edit group visibility for this bug.






View Bug Activity   |   Format For Printing   |   XML   |   Clone This Bug

Description:   Opened: 2005-08-14 21:59 0000 
Stefan Esser discovered:  
  
a logical error that allows  an attacker to nest XML tags in a way, that a  
single doublequote will be  appended to the eval string. The next string tag  
will add another  doublequote, then the string data and a closing doublequote.  
It should  be obvious that this means the stringdata is not handled as string  
but  as actual code due to this.

------- Comment #1 From Sune Kloppenborg Jeppesen 2005-08-14 22:00:17 0000 ------- 
Created an attachment (id=65988) [details]
pear_xml_rpc_without_eval.tgz

Patch by Stefan Esser.

------- Comment #2 From Sune Kloppenborg Jeppesen 2005-08-14 22:01:10 0000 ------- 
Created an attachment (id=65989) [details]
xmlrpc_1_branch.zip

Patch by Stefan Esser.

------- Comment #3 From Sune Kloppenborg Jeppesen 2005-08-15 05:57:51 0000 ------- 
http://www.hardened-php.net/advisory_142005.66.html 
http://www.hardened-php.net/advisory_152005.67.html

------- Comment #4 From Sune Kloppenborg Jeppesen 2005-08-17 09:03:31 0000 ------- 
There is an error in the patch: 
 
+ 
+    case 'DATETIME.ISO8601': 
+        $XML_RPC_xh[$parser]['vt'] = $GLOBALS['XML_RPC_DateTime']; 
+       $XML_RPC_xh[$parser]['value'] = base64_decode($XML_RPC_xh[$parser]
['ac']); 
 
the base64_decode() call should not be there.

------- Comment #5 From Thierry Carrez (RETIRED) 2005-08-18 09:29:54 0000 ------- 
*** Bug 102324 has been marked as a duplicate of this bug. ***

------- Comment #6 From Thierry Carrez (RETIRED) 2005-08-18 09:44:57 0000 ------- 
Keeping this bug for PEAR XML-RPC only.

Fixed version is PEAR XML_RPC 1.4.0
http://pear.php.net/get/XML_RPC-1.4.0.tgz

------- Comment #7 From Sebastian Bergmann (RETIRED) 2005-08-18 10:17:31 0000 ------- 
dev-php/PEAR-XML_RPC-1.4.0 is already in the tree and marked stable.

------- Comment #8 From Thierry Carrez (RETIRED) 2005-08-24 02:52:34 0000 ------- 
Thx everyone.
GLSA 200508-13
Bug List: (This bug is not in your last search results)   Show last search results      Search page      Enter new bug