HighIBM Security Server Protection for Windows, Proventia-G 1.1 and earlier, Proventia Network MFS, Proventia Network IDS, BlackICE Server Protection, BlackICE Agent for Server, BlackICE PC Protection, RealSecure Server Sensor, RealSecure Network, Proventia Network IPS, Proventia Desktop, RealSecure Desktop Protector 3.6, Virtual Server Protection for Vmware, Proventia Server IPS for Linux technology:
This signature detects a specially-crafted REPORT query.
IBM Security Server Protection for Windows, Proventia-G 1.1 and earlier, Proventia Network MFS, Proventia Network IDS, RealSecure Server Sensor, RealSecure Network, Proventia Network IPS, Proventia Desktop, Virtual Server Protection for Vmware, Proventia Server IPS for Linux technology: A false positive condition may occur due to the inability to determine if
the XML data being reported is consumed by a Subversion server.
High
IBM Security Server Protection for Windows: 2.1.14.2400, IBM Security Server Protection for Windows: 1.0.914.1730, Proventia-G 1.1 and earlier: XPU 24.34, Proventia Network MFS: XPU 1.73, Proventia Network IDS: XPU 24.34, BlackICE Server Protection: 3.6.cpe, BlackICE Agent for Server: 3.6epe, BlackICE PC Protection: 3.6cpe, RealSecure Server Sensor: XPU 24.34, RealSecure Network: XPU 24.34, Proventia Network IPS: XPU 1.73, Proventia Desktop: 8.0.675.1730, RealSecure Desktop Protector 3.6: epe, RealSecure Desktop: epe, Virtual Server Protection for Vmware: 1.0, Proventia Server IPS for Linux technology: 1.73
Debian Debian Linux: 3.0, Gentoo Linux, SuSE Linux Enterprise Server: 8, SUSE SuSE Linux: 8.2, Conectiva Linux: 9.0, SUSE SuSE Linux: 9.0, RedHat Enterprise Linux: 3 WS, RedHat Enterprise Linux: 3 ES, RedHat Enterprise Linux: 3 AS, FedoraProject Fedora Core: 4, MandrakeSoft Mandrake Linux: 10.0, SUSE SuSE Linux: 9.1, RedHat Enterprise Linux: 3 Desktop, Conectiva Linux: 10, SuSE SuSE SLES: 9, SUSE SuSE Linux: 9.2, Canonical Ubuntu: 4.10, MandrakeSoft Mandrake Linux: 10.1, RedHat Enterprise Linux: AS, FedoraProject Fedora Core: 3, MandrakeSoft Mandrake Linux Corporate Server: 3.0, RedHat Enterprise Linux: 4 AS, RedHat Enterprise Linux: 4 Desktop, Thorsten Rinne PhpMyFAQ: 1.4, Thorsten Rinne PhpMyFAQ: 1.5, RedHat Enterprise Linux: 4 ES, RedHat Enterprise Linux: 4 WS, MandrakeSoft Mandrake Linux: LE2005, Canonical Ubuntu: 5.04, PEAR PEAR XML_RPC: prior to 1.3.1, s9y Serendipity: prior to 0.8.2, Drupal Drupal: prior to 4.5.4, Drupal Drupal: prior to 4.6.2, Debian Debian Linux: 3.1, Jaws Jaws: prior to 0.5.2, TikiWiki TikiWiki: 1.8.5-r1 and prior, Ruby-lang Ruby: 1.8.2-r2 and prior, Novell Open Enterprise: Server, FreeMED FreeMED: prior to 0.8.1.1, SuSE Linux Enterprise Server: 9, MandrakeSoft Mandrake Linux: LE2005 X86_64, MandrakeSoft Mandrake Linux: 10.1 X86_64, MandrakeSoft Mandrake Linux Corporate Server: 3.0 X86_64, MandrakeSoft Mandrake Linux: 10.0 AMD64, Novell Open Enterprise Server, PHP PHP: 1.0, SUSE SuSE Linux: 9.3
Unauthorized Access Attempt
XML-RPC for PHP (PHPXMLRPC) could allow a remote attacker to execute arbitrary code on the system, caused by a vulnerability regarding improper handling of PHP code passed to eval() statements. A remote attacker could exploit this vulnerability by sending a specially-crafted XML file that uses single quotes to escape to eval() statements via an HTTP POST request, allowing the attacker to execute arbitrary PHP code on the affected system.
Note: This vulnerability also affects PEAR XML_RPC and multiple applications that utilize the XML-RPC for PHP library or the PEAR XML_RPC library.
Upgrade to the latest version of PEAR XML-RPC (1.3.1 or later), available from the PEAR XML_RPC Download Web page. See References.
For phpMyFAQ:
Upgrade to the latest version of phpMyFAQ (1.4.9 or later), available from the phpMyFAQ Download Web page. See References.
For Serendipity:
Upgrade to the latest version of Serendipity (0.8.2 or later), available from the SourceForge.net Web site. See References.
For Drupal:
Upgrade to the latest version of Drupal (4.5.4 or 4.6.2 or later), available from the Drupal Web site. See References.
For MailWatch for MailScanner:
Upgrade to the latest version of MailWatch for MailScanner (1.0.1 or later), available from the SourceForge.net Web site. See References.
For TikiWiki:
Upgrade to the latest version of TikiWiki (1.8.5-r1 or later), available from the GLSA 200507-06 / Tikiwiki. See References.
For Jaws:
Upgrade to the latest version of Jaws (0.5.2 or later), available from the Jaws Web site. See References.
For phpWebSite:
Upgrade to the latest version of phpWebSite (0.10.1or later), available from the phpWebSite Security Patch Web site. See References.
For Red Hat Linux containing the PEAR XML-RPC Server package:
Upgrade to the latest PEAR XML-RPC Server package, available from the RHSA-2005:564-15 for more information. See References.
For Debian GNU/Linux 3.1 (sarge):
Upgrade to the latest version of egroupware (1.0.0.007-2.dfsg-2sarge1or later), as listed in DSA-747-1. See References.
For Debian GNU/Linux 3.1 (Sarge):
Upgrade to the latest version of phpgroupware (0.9.16.005-3.sarge0 or later), as listed in DSA-746-1 See Reference.
Upgrade to the latest version of ruby (1.8.2-7sarge1or later), as listed in DSA-748-1. See References.
For SuSE Linux:
Upgrade to the latest version of (or later), as listed in the SUSE Security Announcement SUSE-SA:2005:041. See References.
For Mandrake Linux 10.1:
Upgrade to the latest version of Ruby (1.8.1-4.3.101mdk or later), as listed in Mandrake Security Advisory MDKSA-2005:118. See References.
For Ruby:
Upgrade to the latest version of Ruby (1.8.2-r2 or later), available from the GLSA 200507-10 / ruby. See References.
For Gentoo Linux:
Upgrade to the latest version of dev-php/php (4.4.0 or later), as listed in Gentoo Linux Security Announcement GLSA 200507-15. See References.
For Gentoo Linux:
Upgrade to the latest version of phpgroupware (0.9.16.006 or later), as listed in Gentoo Linux Security Announcement GLSA 200507-08. See References.
For Gentoo Linux:
Upgrade to the latest version of dev-lang/ruby (1.8.2-r2 or later), as listed in Gentoo Linux Security Announcement GLSA 200507-10. See References.
For Gentoo Linux:
Upgrade to the latest version of phpWebSite (0.10.1-r1 or later), as listed in Gentoo Linux Security Announcement GLSA 200507-07. See References.
For Gentoo Linux:
Upgrade to the latest version of WordPress (1.5.1.3 or later), as listed in Gentoo Linux Security Announcement GLSA 200507-02. See References.
For Gentoo Linux:
Upgrade to the latest version of PEAR-XML_RPC (1.3.1 or later), as listed in Gentoo Linux Security Announcement GLSA 200507-01. See References.
For Debian GNU/Linux 3.0 (woody):
Upgrade to the latest version of Php4 (4.1.2-7.woody5. or later), as listed in DSA-789-1. See References.
For Debian GNU/Linux 3.1 (sarge):
Upgrade to the latest version of Php4 (4.3.10-16 or later), as listed in DSA-789-1. See References.
For SUSE Linux:
Upgrade to the latest version of php/pear XML::RPC, as listed below. Refer to SUSE Security Announcement SUSE-SA:2005:041. See References.
X86 Platform:
SUSE Linux 8.2: 4.3.1-180 or later
X86 and x86-64 Platforms:
SUSE Linux 9.3: 4.3.10-14.6 or later (php4) or 5.0.3-14.6 or later (php5)
SUSE Linux 9.2: 4.3.8-8.9 or later
SUSE Linux 9.1: 4.3.4-43.36 or later
SUSE Linux 9.0: 4.3.3-191 or later
X86 and x86-64 Platforms:
SUSE Linux 9.3: 4.3.10-14.11 or later (php4) or 5.0.3-14.11 or later (php5)
SUSE Linux 9.2: 4.3.8-8.14 or later
SUSE Linux 9.1: 4.3.4-43.44 or later
SUSE Linux 9.0: 4.3.3-196 or later
For Conectiva Linux 10.0:
Upgrade to the latest version of ruby (1.8.3 or later), as listed in Conectiva Linux Security Announcement CLSA-2005:984. See References.
For Conectiva Linux 9.0 and 10.0:
Upgrade to the latest version of php4 (4.3.11 or later), as listed in Conectiva Linux Security Announcement CLSA-2005:980. See References.
For FreeMED:
Upgrade to the latest version of FreeMED (0.8.1.1 or later) available from the SourceForge.net FreeMED Project page. See References.
For HP Tru64 UNIX:
Refer to Hewlett-Packard Company Security Bulletin HPSBTU02083 for patch, upgrade or workaround information. See References.
For Ubuntu Linux:
Refer to USN-147-1 and USN-147-2 for patch, upgrade, or suggested workaround information. See References.
For other distributions:
Contact your vendor for upgrade or patch information.
SA15861
PEAR XML_RPC Unspecified PHP Code Execution Vulnerability
http://secunia.com/advisories/15861/
SA15862
Serendipity XML-RPC Unspecified PHP Code Execution Vulnerability
http://secunia.com/advisories/15862/
PEAR XML_RPC Download Web page
Package Information: XML_RPC
http://pear.php.net/package/XML_RPC/download/
PEAR Web page
What is PEAR?
http://pear.php.net/manual/en/introduction.php
SA15810
phpMyFAQ XML-RPC PHP Code Execution Vulnerability
http://secunia.com/advisories/15810/
SecurityTracker Alert ID: 1014327
XML-RPC for PHP Lets Remote Users Execute Arbitrary PHP Code
http://www.securitytracker.com/alerts/2005/Jun/1014327.html
phpMyFAQ Download Web page
Stable versions
http://www.phpmyfaq.de/download.php
SourceForge.net
Project: Serendipity PHP Weblog System: File List
http://sourceforge.net/project/showfiles.php?group_id=75065
Drupal Web site
Drupal
http://drupal.org/project/drupal
SA15872
Drupal PHP Code Execution Vulnerabilities
http://secunia.com/advisories/15872/
SA15922
Jaws "path" File Inclusion and XML-RPC PHP Code Execution
http://secunia.com/advisories/15922/
SA15852
XML-RPC for PHP PHP Code Execution Vulnerability
http://secunia.com/advisories/15852/
SA15945
Fedora update for php
http://secunia.com/advisories/15945/
SA15947
MailWatch for MailScanner XML-RPC PHP Code Execution
http://secunia.com/advisories/15947/
SourceForge.net
Project: MailWatch for MailScanner: File List
http://sourceforge.net/project/showfiles.php?group_id=87163
GLSA 200507-06 / Tikiwiki
TikiWiki: Arbitrary command execution through XML-RPC
http://www.gentoo.org/security/en/glsa/glsa-200507-06.xml
SA15944
TikiWiki XML-RPC PHP Code Execution Vulnerability
http://secunia.com/advisories/15944/
SA15946
Gentoo update for tikiwiki
http://secunia.com/advisories/15946/
SA15892
Red Hat update for php
http://secunia.com/advisories/15892/
RHSA-2005:564-15
php security update
http://rhn.redhat.com/errata/RHSA-2005-564.html
SA16002
Debian update for drupal
http://secunia.com/advisories/16002/
DSA-745-1
drupal -- input validation errors
http://www.debian.org/security/2005/dsa-745
SA15916
eGroupWare XML-RPC PHP Code Execution Vulnerability
http://secunia.com/advisories/15916/
SA15917
phpGroupWare XML-RPC PHP Code Execution Vulnerability
http://secunia.com/advisories/15917/
phpGroupWare Web site
phpGroupWare.org
http://www.phpgroupware.org/
SA15999
Debian update for egroupware
http://secunia.com/advisories/15999/
DSA-747-1
egroupware -- input validation error
http://www.debian.org/security/2005/dsa-747
GLSA 200507-07 / phpwebsite
phpWebSite: Multiple vulnerabilities
http://www.gentoo.org/security/en/glsa/glsa-200507-07.xml
Multiple vulnerabilities in Phpwebsite: Hackers Centers: Internet Security Archive
Multiple vulnerabilities in Phpwebsite
http://www.hackerscenter.com/archive/view.asp?id=3489
SA15958
phpWebSite SQL Injection and Disclosure of Sensitive Information
http://secunia.com/advisories/15958/
phpWebSite Security Patch Web site
phpWebSite Security Patch
http://www.phpwebsite.appstate.edu/index.php?module=announce&ANN_user_op=view&ANN_id=989
SA16027
Gentoo update for phpwebsite
http://secunia.com/advisories/16027/
SUSE Security Announcement SUSE-SA:2005:041
SUSE Security Announcement: php/pear XML RPC remote code execution (SUSE-SA:2005:041)
http://www.novell.com/linux/security/advisories/2005_41_php_pear.html
SA16014
SUSE update for php/pear XML::RPC
http://secunia.com/advisories/16014/
phpWebSite Web site
phpWebSite
http://phpwebsite.appstate.edu/
GLSA 200507-10 / ruby
Ruby: Arbitrary command execution through XML-RPC
http://www.gentoo.org/security/en/glsa/glsa-200507-10.xml
SA15767
Ruby XMLRPC.iPIMethods Arbitrary Command Execution
http://secunia.com/advisories/15767/
Ruby Advisory # XMLRPC.iPIMethods Vulnerability
# XMLRPC.iPIMethods Vulnerability
http://www.ruby-lang.org/en/20050701.html
Mandrake Security Advisory MDKSA-2005:118
Updated ruby packages fix vulnerabilities
http://www.mandriva.com/security/advisories?name=MDKSA-2005:118
SA16045
Mandriva update for ruby
http://secunia.com/advisories/16045/
US-CERT Vulnerability Note VU#442845
Multiple PHP XML-RPC implementations vulnerable to code injection
http://www.kb.cert.org/vuls/id/442845
DSA 748-1
ruby1.8 -- bad default value
http://www.debian.org/security/2005/dsa-748
Nobuhiro IMAI Web page
arbitrary command execution on XMLRPC server
http://blade.nagaokaut.ac.jp/cgi-bin/scat.rb/ruby/ruby-core/5237
DSA-746-1
phpgroupware -- input validation error
http://www.debian.org/security/2005/dsa-746
Gentoo Linux Security Announcement GLSA 200507-15
PHP: Script injection through XML-RPC
http://www.gentoo.org/security/en/glsa/glsa-200507-15.xml
Gentoo Linux Security Announcement GLSA 200507-08
phpGroupWare, eGroupWare: PHP script injection vulnerability
http://www.gentoo.org/security/en/glsa/glsa-200507-08.xml
Gentoo Linux Security Announcement GLSA 200507-02
WordPress: Multiple vulnerabilities
http://www.gentoo.org/security/en/glsa/glsa-200507-02.xml
Gentoo Linux Security Announcement GLSA 200507-01
PEAR XML-RPC, phpxmlrpc: PHP script injection vulnerability
http://www.gentoo.org/security/en/glsa/glsa-200507-01.xml
DSA-789-1
php4 -- several vulnerabilities
http://www.debian.org/security/2005/dsa-789
SUSE Security Announcement SUSE-SA:2005:051
php4,php5
http://www.novell.com/linux/security/advisories/2005_51_php.html
SUSE Security Announcement SUSE-SA:2005:041
php/pear XML::RPC
http://www.novell.com/linux/security/advisories/2005_41_php_pear.html
CIAC INFORMATION BULLETIN P-312
Apple Security Update 2005-008
http://www.ciac.org/ciac/bulletins/p-312.shtml
Conectiva Linux Security Announcement CLSA-2005:984
Fix for security vulnerability in ruby
http://distro.conectiva.com/atualizacoes/index.php?id=a&anuncio=000984
Conectiva Linux Security Announcemen CLSA-2005:980
Fix for php4 vulnerability
http://distro.conectiva.com/atualizacoes/index.php?id=a&anuncio=000980
FrSIRT/ADV-2005-2554
FreeMED XML-RPC Library Remote Code Execution Vulnerability
http://www.frsirt.com/english/advisories/2005/2554
SourceForge.net
About FreeMED Project
http://sourceforge.net/projects/freemed/
Hewlett-Packard Company Security Bulletin HPSBTU02083
SSRT051069 - HP Tru64 Unix Secure Web Server (SWS 6.4.1 and earlier) PHP/XMLRPC Remote Unauthorized Execution of Arbitrary Code
http://archives.neohapsis.com/archives/bugtraq/2005-12/0087.html
USN-147-1
php4, php4-universe vulnerability
http://www.ubuntu.com/usn/usn-147-1
USN-147-2
php4, php4-universe fixed packages
http://www.ubuntu.com/usn/usn-147-2
ISS X-Force
XML-RPC for PHP eval() XML with single quote PHP code execution
http://www.iss.net/security_center/static/21194.php
CVE
CVE-2005-1921
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2005-1921