HighRealSecure Network, RealSecure Server Sensor, BlackICE Agent for Server, BlackICE PC Protection, Proventia Desktop, Proventia Network IDS, Proventia Network IPS, Proventia-G 1.1 and earlier, Proventia Network MFS, BlackICE Server Protection, Proventia Server IPS for Microsoft Windows technology, RealSecure Desktop Protector 3.6, Proventia Server IPS for Linux technology:
This signature detects a specially-crafted REPORT query.
High
RealSecure Network: XPU 24.34, RealSecure Server Sensor: XPU 24.34, BlackICE Agent for Server: 3.6epe, BlackICE PC Protection: 3.6cpe, Proventia Desktop: 8.0.675.1730, Proventia Network IDS: XPU 24.34, Proventia Network IPS: XPU 1.73, Proventia-G 1.1 and earlier: XPU 24.34, Proventia Network MFS: XPU 1.73, BlackICE Server Protection: 3.6.cpe, Proventia Server IPS for Microsoft Windows technology: 1.0.914.1730, RealSecure Desktop Protector 3.6: epe, RealSecure Desktop: epe, Proventia Server IPS for Linux technology: 1.73
Debian Debian Linux: 3.0, Gentoo Linux, SuSE Linux Enterprise Server: 8, SuSE SuSE Linux: 8.2, Conectiva Linux: 9.0, SuSE SuSE Linux: 9.0, RedHat Enterprise Linux: 3 WS, RedHat Enterprise Linux: 3 ES, RedHat Enterprise Linux: 3 AS, FedoraProject Fedora Core: 4, MandrakeSoft Mandrake Linux: 10.0, SuSE SuSE Linux: 9.1, RedHat Enterprise Linux: 3 Desktop, Conectiva Linux: 10, SuSE SuSE SLES: 9, SuSE SuSE Linux: 9.2, Canonical Ubuntu: 4.10, MandrakeSoft Mandrake Linux: 10.1, RedHat Enterprise Linux: AS, FedoraProject Fedora Core: 3, MandrakeSoft Mandrake Linux Corporate Server: 3.0, RedHat Enterprise Linux: 4 AS, RedHat Enterprise Linux: 4 Desktop, Thorsten Rinne PhpMyFAQ: 1.4, Thorsten Rinne PhpMyFAQ: 1.5, RedHat Enterprise Linux: 4 ES, RedHat Enterprise Linux: 4 WS, MandrakeSoft Mandrake Linux: LE2005, Canonical Ubuntu: 5.04, PEAR PEAR XML_RPC: prior to 1.3.1, s9y Serendipity: prior to 0.8.2, Drupal Drupal: prior to 4.5.4, Drupal Drupal: prior to 4.6.2, Debian Debian Linux: 3.1, Jaws Jaws: prior to 0.5.2, TikiWiki TikiWiki: 1.8.5-r1 and prior, Yukihiro Matsumoto Ruby: 1.8.2-r2 and prior, Novell Open Enterprise: Server, FreeMED FreeMED: prior to 0.8.1.1, SuSE Linux Enterprise Server: 9, MandrakeSoft Mandrake Linux: LE2005 X86_64, MandrakeSoft Mandrake Linux: 10.1 X86_64, MandrakeSoft Mandrake Linux Corporate Server: 3.0 X86_64, MandrakeSoft Mandrake Linux: 10.0 AMD64, Novell Open Enterprise Server, PHP PHP: 1.0, SuSE SuSE Linux: 9.3
Unauthorized Access Attempt
XML-RPC for PHP (PHPXMLRPC) could allow a remote attacker to execute arbitrary code on the system, caused by a vulnerability regarding improper handling of PHP code passed to eval() statements. A remote attacker could exploit this vulnerability by sending a specially-crafted XML file that uses single quotes to escape to eval() statements via an HTTP POST request, allowing the attacker to execute arbitrary PHP code on the affected system.
Note: This vulnerability also affects PEAR XML_RPC and multiple applications that utilize the XML-RPC for PHP library or the PEAR XML_RPC library.
Upgrade to the latest version of PEAR XML-RPC (1.3.1 or later), available from the PEAR XML_RPC Download Web page. See References.
For phpMyFAQ:
Upgrade to the latest version of phpMyFAQ (1.4.9 or later), available from the phpMyFAQ Download Web page. See References.
For Serendipity:
Upgrade to the latest version of Serendipity (0.8.2 or later), available from the SourceForge.net Web site. See References.
For Drupal:
Upgrade to the latest version of Drupal (4.5.4 or 4.6.2 or later), available from the Drupal Web site. See References.
For MailWatch for MailScanner:
Upgrade to the latest version of MailWatch for MailScanner (1.0.1 or later), available from the SourceForge.net Web site. See References.
For TikiWiki:
Upgrade to the latest version of TikiWiki (1.8.5-r1 or later), available from the GLSA 200507-06 / Tikiwiki. See References.
For Jaws:
Upgrade to the latest version of Jaws (0.5.2 or later), available from the Jaws Web site. See References.
For phpWebSite:
Upgrade to the latest version of phpWebSite (0.10.1or later), available from the phpWebSite Security Patch Web site. See References.
For Red Hat Linux containing the PEAR XML-RPC Server package:
Upgrade to the latest PEAR XML-RPC Server package, available from the RHSA-2005:564-15 for more information. See References.
For Debian GNU/Linux 3.1 (sarge):
Upgrade to the latest version of egroupware (1.0.0.007-2.dfsg-2sarge1or later), as listed in DSA-747-1. See References.
For Debian GNU/Linux 3.1 (Sarge):
Upgrade to the latest version of phpgroupware (0.9.16.005-3.sarge0 or later), as listed in DSA-746-1 See Reference.
Upgrade to the latest version of ruby (1.8.2-7sarge1or later), as listed in DSA-748-1. See References.
For SuSE Linux:
Upgrade to the latest version of (or later), as listed in the SUSE Security Announcement SUSE-SA:2005:041. See References.
For Mandrake Linux 10.1:
Upgrade to the latest version of Ruby (1.8.1-4.3.101mdk or later), as listed in Mandrake Security Advisory MDKSA-2005:118. See References.
For Ruby:
Upgrade to the latest version of Ruby (1.8.2-r2 or later), available from the GLSA 200507-10 / ruby. See References.
For Gentoo Linux:
Upgrade to the latest version of dev-php/php (4.4.0 or later), as listed in Gentoo Linux Security Announcement GLSA 200507-15. See References.
For Gentoo Linux:
Upgrade to the latest version of phpgroupware (0.9.16.006 or later), as listed in Gentoo Linux Security Announcement GLSA 200507-08. See References.
For Gentoo Linux:
Upgrade to the latest version of dev-lang/ruby (1.8.2-r2 or later), as listed in Gentoo Linux Security Announcement GLSA 200507-10. See References.
For Gentoo Linux:
Upgrade to the latest version of phpWebSite (0.10.1-r1 or later), as listed in Gentoo Linux Security Announcement GLSA 200507-07. See References.
For Gentoo Linux:
Upgrade to the latest version of WordPress (1.5.1.3 or later), as listed in Gentoo Linux Security Announcement GLSA 200507-02. See References.
For Gentoo Linux:
Upgrade to the latest version of PEAR-XML_RPC (1.3.1 or later), as listed in Gentoo Linux Security Announcement GLSA 200507-01. See References.
For Debian GNU/Linux 3.0 (woody):
Upgrade to the latest version of Php4 (4.1.2-7.woody5. or later), as listed in DSA-789-1. See References.
For Debian GNU/Linux 3.1 (sarge):
Upgrade to the latest version of Php4 (4.3.10-16 or later), as listed in DSA-789-1. See References.
For SUSE Linux:
Upgrade to the latest version of php/pear XML::RPC, as listed below. Refer to SUSE Security Announcement SUSE-SA:2005:041. See References.
X86 Platform:
SUSE Linux 8.2: 4.3.1-180 or later
X86 and x86-64 Platforms:
SUSE Linux 9.3: 4.3.10-14.6 or later (php4) or 5.0.3-14.6 or later (php5)
SUSE Linux 9.2: 4.3.8-8.9 or later
SUSE Linux 9.1: 4.3.4-43.36 or later
SUSE Linux 9.0: 4.3.3-191 or later
X86 and x86-64 Platforms:
SUSE Linux 9.3: 4.3.10-14.11 or later (php4) or 5.0.3-14.11 or later (php5)
SUSE Linux 9.2: 4.3.8-8.14 or later
SUSE Linux 9.1: 4.3.4-43.44 or later
SUSE Linux 9.0: 4.3.3-196 or later
For Conectiva Linux 10.0:
Upgrade to the latest version of ruby (1.8.3 or later), as listed in Conectiva Linux Security Announcement CLSA-2005:984. See References.
For Conectiva Linux 9.0 and 10.0:
Upgrade to the latest version of php4 (4.3.11 or later), as listed in Conectiva Linux Security Announcement CLSA-2005:980. See References.
For FreeMED:
Upgrade to the latest version of FreeMED (0.8.1.1 or later) available from the SourceForge.net FreeMED Project page. See References.
For HP Tru64 UNIX:
Refer to Hewlett-Packard Company Security Bulletin HPSBTU02083 for patch, upgrade or workaround information. See References.
For Ubuntu Linux:
Refer to USN-147-1 and USN-147-2 for patch, upgrade, or suggested workaround information. See References.
For other distributions:
Contact your vendor for upgrade or patch information.
SA15861
PEAR XML_RPC Unspecified PHP Code Execution Vulnerability
http://secunia.com/advisories/15861/
SA15862
Serendipity XML-RPC Unspecified PHP Code Execution Vulnerability
http://secunia.com/advisories/15862/
PEAR XML_RPC Download Web page
Package Information: XML_RPC
http://pear.php.net/package/XML_RPC/download/
PEAR Web page
What is PEAR?
http://pear.php.net/manual/en/introduction.php
SA15810
phpMyFAQ XML-RPC PHP Code Execution Vulnerability
http://secunia.com/advisories/15810/
SecurityTracker Alert ID: 1014327
XML-RPC for PHP Lets Remote Users Execute Arbitrary PHP Code
http://www.securitytracker.com/alerts/2005/Jun/1014327.html
phpMyFAQ Download Web page
Stable versions
http://www.phpmyfaq.de/download.php
SourceForge.net
Project: Serendipity PHP Weblog System: File List
http://sourceforge.net/project/showfiles.php?group_id=75065
Drupal Web site
Drupal
http://drupal.org/project/drupal
SA15872
Drupal PHP Code Execution Vulnerabilities
http://secunia.com/advisories/15872/
SA15922
Jaws "path" File Inclusion and XML-RPC PHP Code Execution
http://secunia.com/advisories/15922/
SA15852
XML-RPC for PHP PHP Code Execution Vulnerability
http://secunia.com/advisories/15852/
SA15945
Fedora update for php
http://secunia.com/advisories/15945/
SA15947
MailWatch for MailScanner XML-RPC PHP Code Execution
http://secunia.com/advisories/15947/
SourceForge.net
Project: MailWatch for MailScanner: File List
http://sourceforge.net/project/showfiles.php?group_id=87163
GLSA 200507-06 / Tikiwiki
TikiWiki: Arbitrary command execution through XML-RPC
http://www.gentoo.org/security/en/glsa/glsa-200507-06.xml
SA15944
TikiWiki XML-RPC PHP Code Execution Vulnerability
http://secunia.com/advisories/15944/
SA15946
Gentoo update for tikiwiki
http://secunia.com/advisories/15946/
SA15892
Red Hat update for php
http://secunia.com/advisories/15892/
RHSA-2005:564-15
php security update
http://rhn.redhat.com/errata/RHSA-2005-564.html
SA16002
Debian update for drupal
http://secunia.com/advisories/16002/
DSA-745-1
drupal -- input validation errors
http://www.debian.org/security/2005/dsa-745
SA15916
eGroupWare XML-RPC PHP Code Execution Vulnerability
http://secunia.com/advisories/15916/
SA15917
phpGroupWare XML-RPC PHP Code Execution Vulnerability
http://secunia.com/advisories/15917/
phpGroupWare Web site
phpGroupWare.org
http://www.phpgroupware.org/
SA15999
Debian update for egroupware
http://secunia.com/advisories/15999/
DSA-747-1
egroupware -- input validation error
http://www.debian.org/security/2005/dsa-747
GLSA 200507-07 / phpwebsite
phpWebSite: Multiple vulnerabilities
http://www.gentoo.org/security/en/glsa/glsa-200507-07.xml
Multiple vulnerabilities in Phpwebsite: Hackers Centers: Internet Security Archive
Multiple vulnerabilities in Phpwebsite
http://www.hackerscenter.com/archive/view.asp?id=3489
SA15958
phpWebSite SQL Injection and Disclosure of Sensitive Information
http://secunia.com/advisories/15958/
phpWebSite Security Patch Web site
phpWebSite Security Patch
http://www.phpwebsite.appstate.edu/index.php?module=announce&ANN_user_op=view&ANN_id=989
SA16027
Gentoo update for phpwebsite
http://secunia.com/advisories/16027/
SUSE Security Announcement SUSE-SA:2005:041
SUSE Security Announcement: php/pear XML RPC remote code execution (SUSE-SA:2005:041)
http://www.novell.com/linux/security/advisories/2005_41_php_pear.html
SA16014
SUSE update for php/pear XML::RPC
http://secunia.com/advisories/16014/
phpWebSite Web site
phpWebSite
http://phpwebsite.appstate.edu/
GLSA 200507-10 / ruby
Ruby: Arbitrary command execution through XML-RPC
http://www.gentoo.org/security/en/glsa/glsa-200507-10.xml
SA15767
Ruby XMLRPC.iPIMethods Arbitrary Command Execution
http://secunia.com/advisories/15767/
Ruby Advisory # XMLRPC.iPIMethods Vulnerability
# XMLRPC.iPIMethods Vulnerability
http://www.ruby-lang.org/en/20050701.html
Mandrake Security Advisory MDKSA-2005:118
Updated ruby packages fix vulnerabilities
http://www.mandriva.com/security/advisories?name=MDKSA-2005:118
SA16045
Mandriva update for ruby
http://secunia.com/advisories/16045/
US-CERT Vulnerability Note VU#442845
Multiple PHP XML-RPC implementations vulnerable to code injection
http://www.kb.cert.org/vuls/id/442845
DSA 748-1
ruby1.8 -- bad default value
http://www.debian.org/security/2005/dsa-748
Nobuhiro IMAI Web page
arbitrary command execution on XMLRPC server
http://blade.nagaokaut.ac.jp/cgi-bin/scat.rb/ruby/ruby-core/5237
DSA-746-1
phpgroupware -- input validation error
http://www.debian.org/security/2005/dsa-746
Gentoo Linux Security Announcement GLSA 200507-15
PHP: Script injection through XML-RPC
http://www.gentoo.org/security/en/glsa/glsa-200507-15.xml
Gentoo Linux Security Announcement GLSA 200507-08
phpGroupWare, eGroupWare: PHP script injection vulnerability
http://www.gentoo.org/security/en/glsa/glsa-200507-08.xml
Gentoo Linux Security Announcement GLSA 200507-02
WordPress: Multiple vulnerabilities
http://www.gentoo.org/security/en/glsa/glsa-200507-02.xml
Gentoo Linux Security Announcement GLSA 200507-01
PEAR XML-RPC, phpxmlrpc: PHP script injection vulnerability
http://www.gentoo.org/security/en/glsa/glsa-200507-01.xml
DSA-789-1
php4 -- several vulnerabilities
http://www.debian.org/security/2005/dsa-789
SUSE Security Announcement SUSE-SA:2005:051
php4,php5
http://www.novell.com/linux/security/advisories/2005_51_php.html
SUSE Security Announcement SUSE-SA:2005:041
php/pear XML::RPC
http://www.novell.com/linux/security/advisories/2005_41_php_pear.html
CIAC INFORMATION BULLETIN P-312
Apple Security Update 2005-008
http://www.ciac.org/ciac/bulletins/p-312.shtml
Conectiva Linux Security Announcement CLSA-2005:984
Fix for security vulnerability in ruby
http://distro.conectiva.com/atualizacoes/index.php?id=a&anuncio=000984
Conectiva Linux Security Announcemen CLSA-2005:980
Fix for php4 vulnerability
http://distro.conectiva.com/atualizacoes/index.php?id=a&anuncio=000980
FrSIRT/ADV-2005-2554
FreeMED XML-RPC Library Remote Code Execution Vulnerability
http://www.frsirt.com/english/advisories/2005/2554
SourceForge.net
About FreeMED Project
http://sourceforge.net/projects/freemed/
Hewlett-Packard Company Security Bulletin HPSBTU02083
SSRT051069 - HP Tru64 Unix Secure Web Server (SWS 6.4.1 and earlier) PHP/XMLRPC Remote Unauthorized Execution of Arbitrary Code
http://archives.neohapsis.com/archives/bugtraq/2005-12/0087.html
USN-147-1
php4, php4-universe vulnerability
http://www.ubuntu.com/usn/usn-147-1
USN-147-2
php4, php4-universe fixed packages
http://www.ubuntu.com/usn/usn-147-2
ISS X-Force
XML-RPC for PHP eval() XML with single quote PHP code execution
http://www.iss.net/security_center/static/21194.php
CVE
CVE-2005-2106
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2005-2106