Security vulnerabilities have been discovered in a widespread Web service protocol which could allow an attacker to take control of a vulnerable server.
The holes, found in XML-RPC For PHP and PEAR XML_RPC, affect a large number of Web applications, according to an advisory from GulfTech, which discovered the flaws.
XML-based RPC (Remote Procedure Call) systems such as XML-RPC are used with HTTP to power Web services, a simple and increasingly popular way of providing services online. XML-RPC For PHP and PEAR XML_RPC implement XML-RPC for the PHP scripting language.
Also called PHPXMLRPC, the protocol is used in many popular Web applications such as PostNuke, Drupal, b2evolution and TikiWiki, according to GulfTech. "PHPXMLRPC is vulnerable to a very high risk remote PHP code execution vulnerability that may allow for an attacker to compromise a vulnerable Web server," GulfTech said.
The vulnerability is caused by the component's failure to properly sanitise data being passed to an eval() call in the parseRequest() function of the XMLRPC server, GulfTech said. "By creating an XML file that uses single quotes to escape into the eval() call an attacker can easily execute php code on the target server," the advisory said.
A new version of PHPXMLRPC is available fixing the problem. For some applications using the component, such as eGroupWare and phpGroupWare, independent security firm Secunia recommended restricting access to XML-RPC functionality.
The vulnerability in PEAR XML_RPC is related to, but distinct from the PHPXMLRPC vulnerability, and could also be used to compromise vulnerable servers, according to GulfTech. Version 1.3.1 of the software has been released fixing the problem.