SecurityTracker.com
Keep Track of the Latest Vulnerabilities
with SecurityTracker!
    Home    |    View Topics    |    Search    |    Contact Us    |   

SecurityTracker
Archives


 
Sign Up
Sign Up for Your FREE Weekly SecurityTracker E-mail Alert Summary
Instant Alerts
Buy our Premium Vulnerability Notification Service to receive customized, instant alerts
Affiliates
Put SecurityTracker Vulnerability Alerts on Your Web Site -- It's Free!
Partners
Become a Partner and License Our Database or Notification Service
Report a Bug
Report a vulnerability that you have found to SecurityTracker
bugs
@
securitytracker.com





Category:   Application (Forum/Board/Portal)  >   PostNuke Vendors:   postnuke.com
(PostNuke Issues Advisory) XML-RPC for PHP Lets Remote Users Execute Arbitrary PHP Code
SecurityTracker Alert ID:  1014353
SecurityTracker URL:  http://securitytracker.com/id/1014353
CVE Reference:   GENERIC-MAP-NOMATCH   (Links to External Site)
Date:  Jul 1 2005
Impact:   Execution of arbitrary code via network, User access via network
Vendor Confirmed:  Yes  
Version(s): prior to .760
Description:   A vulnerability was reported in XML-RPC for PHP. A remote user can execute arbitrary PHP code on the target system. PostNuke includes XML-RCP and is affected.

PHPXMLRPC is vulnerable to a very high risk remote php code execution vulnerability that may allow for an attacker to compromise a vulnerable webserver. The vulnerability is the result of unsanatized data being passed directly into an eval() call in

The parseRequest() function does not properly validate user-supplied input before making an eval() call. A remote user can create a specially crafted XML file and submit the file in an HTTP POST request to execute arbitrary PHP code on the target system.

A demonstration exploit is provided:

<?xml version="1.0"?>
<methodCall>
<methodName>test.method</methodName>
<params>
<param>
<value><name>','')); phpinfo(); exit;/*</name></value>
</param>
</params>
</methodCall>

PEAR XML_RPC is also affected.

The vendor was notified on June 26, 2005.

James from GulfTech Security Research discovered this vulnerability.
Impact:   A remote user can execute arbitrary PHP code on the target system with the privileges of the target web service.
Solution:   PostNuke includes the affected XML-RPC library and, therefore, is vulnerable. The PostNuke vendor plans to issue a new version (.760) that does not contain the vulnerable component.

The PostNuke vendor recommends that you deactivate and remove the 'xmlrpc' module within administration-modules and also remove /xmlrpc.php and and the /modules/xmlrpc folder completly from the filesystem while waiting for a fix from the XML-RPC vendor.

[Editor's note: A fixed version of XML-RPC is now available from the XML-RPC vendor.]
Vendor URL:  news.postnuke.com/Article2699.html (Links to External Site)
Cause:   Input validation error
Underlying OS:   Linux (Any), UNIX (Any), Windows (Any)

Message History:   This archive entry is a follow-up to the message listed below.
Jun 29 2005 XML-RPC for PHP Lets Remote Users Execute Arbitrary PHP Code


 Source Message Contents
Date:  Wed, 29 Jun 2005 10:54:26 +0100
Subject:  Fwd: [Postnuke-security] PostNuke CMS Security Advisory PNSA 2005-3


Remote Code Injection via xml rpc (third party library used in
PostNuke CMS < .760)

DESCRIPTION
PostNuke CMS is an open source, open development content management
system (CMS). PostNuke CMS started as a fork from PHPNuke and provides
many enhancements and improvements over the PHP-Nuke system.
PostNuke CMS is still undergoing development but a large number of
core functions are now stabilising and a complete API for third-party
developers (including ADODB database abstraction and SMARTY
templating) is in place.
The PostNuke CMS Development Team was notified about a security issue
within the current .750 stable package and the .760 development tree.

VULNERABILTIES
- remote code injection via xml rpc library

SOLUTION
It is recommended that all admins deactivate and remove the 'xmlrpc'
module within administration-modules and additionaly remove
/xmlrpc.php and and the /modules/xmlrpc folder completly from the
filesystem.
The PostNuke CMS Development Team highly recommends to *not* use the
xml rpc library until the maintainers [1] provide a secure solution.
Once an updated version is available a modularized version will be
provided for download as an additional module.
Note: The upcoming .760 release will not contain the xml rpc library.

CREDITS
The exploit has been originally found by James from GulfTech Security
Research (http://www.gulftech.org) and was reported via security
contact. Additionally the maintainers of the xml rpc library were
contacted.

Andreas Krapohl [larsneo]
PostNuke CMS Development Team

[1] http://phpxmlrpc.sourceforge.net/
_______________________________________________
Postnuke-security mailing list
Postnuke-security@lists.postnuke.com
http://lists.postnuke.com/mailman/listinfo/postnuke-security


Go to the Top of This SecurityTracker Archive Page



Home   |    View Topics   |    Search   |    Contact Us

Copyright 2012, SecurityGlobal.net LLC