PHPXMLRPC and PEAR XML_RPC Remote Code Injection Vulnerability

Solution:
The vendor has released version 1.2 of PHPXMLRPC and version 1.4 of PEAR XML_RPC to correct this problem.

Nucleus CMS has released a patch addressing this issue. Reports indicate an upgrade will be available shortly. Please contact the vendor for further information.

eGroupWare has addressed this issue in version 1.0.0.009.

phpPgAds and phpAdsNew have released patches addressing this issue.

Mailwatch for MailScanner has released a patch addressing this issue.

LiveSupport has released an update addressing this issue.

Ubuntu Linux has released security advisory USN-171-1 addressing this and other issues. Please see the referenced advisory for details on obtaining and applying the appropriate updates.

RedHat has released advisory RHSA-2005:748-05, along with fixes to address this issue in PHP4 for RedHat Enterprise Linux operating systems. Please see the referenced advisory for further information.

Mandriva has released advisory MDKSA-2005:146, along with fixes to address this issue in php-pear. Please see the referenced advisory for further information.

Gentoo Linux has released advisory GLSA 200508-13 to address this issue in PEAR-XML_RPC and phpxmlrpc. Users of affected packages are urged to execute the following commands with superuser privileges:

PEAR-XML_RPC users:
emerge --sync
emerge --ask --oneshot --verbose ">=dev-php/PEAR-XML_RPC-1.4.0"

phpxmlrpc users:
emerge --sync
emerge --ask --oneshot --verbose ">=dev-php/phpxmlrpc-1.2-r1"

Please see the referenced advisory for further information.

Gentoo Linux has released advisory GLSA 200508-14 to address this issue in eGroupWare and TikiWiki. Users of affected packages are urged to execute the following commands with superuser privileges:

TikiWiki users:
emerge --sync
emerge --ask --oneshot --verbose ">=www-apps/tikiwiki-1.8.5-r2"

eGroupWare users:
emerge --sync
emerge --ask --oneshot --verbose ">=www-apps/egroupware-1.0.0.009"

Gentoo Linux has released advisory GLSA 200508-18 to address this issue in PhpWiki. Users of affected packages are urged to execute the following commands with superuser privileges:
emerge --sync
emerge --ask --oneshot --verbose ">=www-apps/phpwiki-1.3.10-r2"
Please see the referenced advisory for further information.

Fedora has released advisories FEDORA-2005-809 and FEDORA-2005-810 containing an upstream version of the PEAR XML_RPC package to address this issue in Fedora Core 3 and Fedora Core 4. Please see the referenced advisories for more information.

Debian has released advisory DSA 789-1 to address various issues. Please see the referenced advisory for more information.

SUSE has released advisory SUSE-SA:2005:049 to address this and other issues affecting PHP. Please see the referenced advisory for more information.

Gentoo Linux has released security advisory GLSA 200508-20 addressing this issue. Gentoo recommends all phpGroupWare users should upgrade to the latest version:

# emerge --sync
# emerge --ask --oneshot --verbose ">=www-apps/phpgroupware-0.9.16.008"

SUSE has reported that some fixes included in the advisory SUSE-SA:2005:049 for SUSE Linux Enterprise Server 9, SUSE Linux 9.0, 9.1, 9.2 and 9.3 have been removed due to the introduction of new bugs. SUSE plans to release a new advisory containing updated fixes in the near future.

Gentoo Linux has released security advisory GLSA 200508-21 addressing this issue. Gentoo recommends all phpWebSite users should upgrade to the latest version:

# emerge --sync
# emerge --ask --oneshot --verbose ">=www-apps/phpwebsite-0.10.2_rc2"

Slackware Linux has released advisory SSA:2005-242-02 to address this issue. Please see the referenced advisory for more information.

Debian has released advisory DSA 798-1 to address this and other issues in phpgroupware. Please see the referenced advisory for more information.

SuSE has released advisory SUSE-SA:2005:051 to address this and other issues. Please see the referenced advisory for links to fixes.

SGI has released Security Update #46 to address this and other issues for SGI Propack 3 Service Pack 6. Please see the referenced advisory for further information.

Slackware has released security advisory SSA:2005-251-04 addressing this issue. Please see the referenced advisory for details on obtaining and applying the appropriate updates.

Gentoo has released security advisory GLSA 200509-19 addressing this issue. Gentoo recommends the following:
All PHP users should upgrade to the latest version:

# emerge --sync
# emerge --ask --oneshot --verbose dev-php/php

All mod_php users should upgrade to the latest version:

# emerge --sync
# emerge --ask --oneshot --verbose dev-php/mod_php

All php-cgi users should upgrade to the latest version:

# emerge --sync
# emerge --ask --oneshot --verbose dev-php/php-cgi

Debian Linux has released security advisory DSA 840-1 addressing this issue for Drupal. Please see the referenced advisory for more information.

Debian Linux has released security advisory DSA 842-1 addressing this issue for eGroupware. Please see the referenced advisory for more information.

Conectiva Linux has released security advisory CLSA-2005:1024 addressing this issue. Please see the referenced advisory for details on obtaining and applying the appropriate updates.

b2evolution has addressed this issue in version 0.9.1.

Fedora Legacy advisory FLSA:166943 is available to address various issues affecting PHP in Red Hat Linux 7.3, Red Hat Linux 9, Fedora Core 1, and Fedora Core 2. Please see the referenced advisory for more information.


Redhat Fedora Core3

b2evolution b2evolution 0.8.2 .2

b2evolution b2evolution 0.8.6

b2evolution b2evolution 0.8.6 .1

b2evolution b2evolution 0.8.7

b2evolution b2evolution 0.9 .0.12

b2evolution b2evolution 0.9 .0.03

b2evolution b2evolution 0.9 .0.10

b2evolution b2evolution 0.9 .0.11

PHPGroupWare PHPGroupWare 0.9.12

PHPGroupWare PHPGroupWare 0.9.13

PHPGroupWare PHPGroupWare 0.9.14

PHPGroupWare PHPGroupWare 0.9.14 .002

PHPGroupWare PHPGroupWare 0.9.14 .007

PHPGroupWare PHPGroupWare 0.9.16 RC3

PHPGroupWare PHPGroupWare 0.9.16 .003

PHPGroupWare PHPGroupWare 0.9.16 .000

PHPGroupWare PHPGroupWare 0.9.16 .006

PHPGroupWare PHPGroupWare 0.9.16 .005

eGroupWare eGroupWare 1.0.1

eGroupWare eGroupWare 1.0.3

eGroupWare eGroupWare 1.0.6

PHPXMLRPC PHPXMLRPC 1.1.1

PEAR XML_RPC 1.3.3

phpAdsNew phpAdsNew 2.0.4 -pr2

SGI ProPack 3.0 SP6

Nucleus CMS Nucleus CMS 3.1

Nucleus CMS Nucleus CMS 3.21

Drupal Drupal 4.5

Drupal Drupal 4.5.1

Drupal Drupal 4.6

Drupal Drupal 4.6.1

Drupal Drupal 4.6.2


 

Privacy Statement
Copyright 2010, SecurityFocus