Web apps compromised by security hole

Security vulnerabilities have been discovered in a widespread Web services protocol which could allow an attacker to take control of a vulnerable server.

The holes, found in XML-RPC For PHP and PEAR XML_RPC, affect a large number of Web applications, according to an advisory from GulfTech Research And Development LLC, which discovered the flaws.

XML-based RPC (Remote Procedure Call) systems such as XML-RPC are used with HTTP to power Web services, a simple and increasingly popular way of providing services online. XML-RPC For PHP and PEAR XML_RPC implement XML-RPC for the PHP scripting language.

Also called PHPXMLRPC, the protocol is used in many popular Web applications such as PostNuke, Drupal, b2evolution and TikiWiki, according to GulfTech.

“PHPXMLRPC is vulnerable to a very high risk remote PHP code execution vulnerability that may allow for an attacker to compromise a vulnerable Web server,” GulfTech said.

The vulnerability is caused by the component’s failure to properly sanitize data being passed to an eval() call in the parseRequest() function of the XMLRPC server, GulfTech said. “By creating an XML file that uses single quotes to escape into the eval() call an attacker can easily execute php code on the target server,” the advisory said.

A new version of PHPXMLRPC is available that fixes the problem. For some applications using the component, such as eGroupWare and phpGroupWare, independent security firm Secunia recommended restricting access to XML-RPC functionality.

The vulnerability in PEAR XML_RPC is related to, but distinct from, the PHPXMLRPC vulnerability, and could also be used to compromise vulnerable servers, according to GulfTech. Version 1.3.1 of the software has been released fixing the problem.

Would you recommend this article?

Share

Thanks for taking the time to let us know what you think of this article!
We'd love to hear your opinion about this or any other story you read in our publication.


Jim Love, Chief Content Officer, IT World Canada

Featured Download

Featured Articles

Cybersecurity in 2024: Priorities and challenges for Canadian organizations 

By Derek Manky As predictions for 2024 point to the continued expansion...

Survey shows generative AI is a top priority for Canadian corporate leaders.

Leaders are devoting significant budget to generative AI for 2024 Canadian corporate...

Related Tech News

Tech Jobs

Our experienced team of journalists and bloggers bring you engaging in-depth interviews, videos and content targeted to IT professionals and line-of-business executives.

Tech Companies Hiring Right Now