Stefan Esser discovered: a logical error that allows an attacker to nest XML tags in a way, that a single doublequote will be appended to the eval string. The next string tag will add another doublequote, then the string data and a closing doublequote. It should be obvious that this means the stringdata is not handled as string but as actual code due to this.
Created attachment 65988 [details] pear_xml_rpc_without_eval.tgz Patch by Stefan Esser.
Created attachment 65989 [details] xmlrpc_1_branch.zip Patch by Stefan Esser.
http://www.hardened-php.net/advisory_142005.66.html http://www.hardened-php.net/advisory_152005.67.html
There is an error in the patch: + + case 'DATETIME.ISO8601': + $XML_RPC_xh[$parser]['vt'] = $GLOBALS['XML_RPC_DateTime']; + $XML_RPC_xh[$parser]['value'] = base64_decode($XML_RPC_xh[$parser] ['ac']); the base64_decode() call should not be there.
*** Bug 102324 has been marked as a duplicate of this bug. ***
Keeping this bug for PEAR XML-RPC only. Fixed version is PEAR XML_RPC 1.4.0 http://pear.php.net/get/XML_RPC-1.4.0.tgz
dev-php/PEAR-XML_RPC-1.4.0 is already in the tree and marked stable.
Thx everyone. GLSA 200508-13