Home    |    View Topics    |    Search    |    Contact Us    |   



Category:   Application (Generic)  >   XML-RPC for PHP Vendors:
XML-RPC for PHP Nested Tag Parsing Flaw Lets Remote Users Execute Arbitrary Code
SecurityTracker Alert ID:  1014677
SecurityTracker URL:
CVE Reference:   CVE-2005-2498   (Links to External Site)
Date:  Aug 15 2005
Impact:   Execution of arbitrary code via network, User access via network
Fix Available:  Yes  Vendor Confirmed:  Yes  
Version(s): 1.1.1 and prior versions
Description:   A vulnerability was reported in XML-RPC for PHP. A remote user can execute arbitrary PHP code on the target system.

The software does not properly process certain, malformed XMLRPC requests and responses. A document containing certain nested XML tags can trigger the flaw.

A remote user can supply an XMLRPC request with specially crafted contents to cause arbitrary PHP code to be executed by the target system.

The vendor was notified on July 22, 2005.

Stefan Esser of the Hardened-PHP Project reported this vulnerability.

Impact:   A remote user can execute arbitrary PHP code on the target system, typically with the privileges of the target web service.
Solution:   The vendor has issued a fixed version (1.2), available at:

Vendor URL: (Links to External Site)
Cause:   State error
Underlying OS:  Linux (Any), UNIX (Any), Windows (Any)

Message History:   None.

 Source Message Contents

Subject:  [Full-disclosure] Advisory 15/2005: PHPXMLRPC Remote PHP Code

Hash: SHA1

                        Hardened-PHP Project

                      -= Security  Advisory =-

     Advisory: PHPXMLRPC Remote PHP Code Injection Vulnerability
 Release Date: 2005/08/15
Last Modified: 2005/08/15
       Author: Stefan Esser []

  Application: PHPXMLRPC <= 1.1.1
     Severity: A malformed XMLRPC request can result in execution
               of arbitrary injected PHP code
         Risk: Critical
Vendor Status: Vendor has released an updated version


   PHPXMLRPC is the successor of Useful Inc's XML-RPC for PHP, which 
   is a PHP implementation of the XML-RPC protocol. 
   After Gulftech released their PHP code injection advisory in the
   end of June 2005 we sheduled the code for an audit from our side.
   Unfortunately we were able to find another vulnerability in the
   XML-RPC libraries that allows injection of arbitrary PHP code 
   into eval() statements.
   Unlike the last vulnerability this is not caused by wrongly
   implemented escaping of the user input, but by an improper handling
   of XMLRPC requests and responses that are malformed in a certain

   To get rid of this and future eval() injection vulnerabilities, the
   Hardened-PHP Project has developed together with the maintainers
   of both libraries a fix that completely eliminates the use of 
   eval() from the library.


   When the library parses XMLRPC requests/repsonses, it constructs
   a string of PHP code, that is later evaluated. This means any 
   failure to properly handle the construction of this string can 
   result in arbitrary execution of PHP code.
   In late June a problem was discovered, that certain XML tags where
   using single quotes around embedded user input and single quotes
   where not escaped. This allowed a typical injection attack. While
   all these escaping problems were believed to be fixed, I was able
   to find another problems, that allows injection of arbitrary code.
   This new injection vulnerability is cause by not properly handling
   the situation, when certain XML tags are nested in the parsed
   document, that were never meant to be nested at all. This can be
   easily exploited in a way, that user-input is placed outside of
   string delimiters within the evaluation string, which obviously
   results in arbitrary code execution.
   Therefore we have added a XML tag nesting verification into the
   code and additionally removed all call to eval(). Therefore the 
   resulting patch eliminates the current and the possibility for
   future eval() holes. Additionally this means from the diff
   between a vulnerable and a not vulnerable version it is not
   possible to find the position of the flaw easily.

CVE Information:

   The Common Vulnerabilities and Exposures project ( 
   has assigned the name CAN-2005-2498 to this vulnerability.
Proof of Concept:

   The Hardened-PHP Project is not going to release an exploit for 
   this vulnerability to the public.

Disclosure Timeline:

   22. July   2005 - Contact with both library vendors established.
                     Issue is discussed and a patch that eliminates
		     the use of eval() is developed, improved and
   12. August 2005 - Affected applications are contacted and asked
                     for beta test of the patches.
   14. August 2005 - Vendors release bugfixed versions, after
                     information about this vulnerability leaked 
		     through one of the affected applications to
		     the public.
   15. August 2005 - Public disclosure


   We strongly recommend to upgrade to the vendor supplied new
   version, that completely eliminates all calls to eval(). 
      PHPXMLRPC 1.2


   pub  1024D/0A864AA1 2004-04-17 Hardened-PHP Signature Key
   Key fingerprint = 066F A6D0 E57E 9936 9082  7E52 4439 14CC 0A86 4AA1

Copyright 2005 Stefan Esser / Hardened-PHP Project. All rights reserved.

Version: GnuPG v1.0.6 (GNU/Linux)
Comment: For info see


Full-Disclosure - We believe in it.
Hosted and sponsored by Secunia -


Go to the Top of This SecurityTracker Archive Page

Home   |    View Topics   |    Search   |    Contact Us

This web site uses cookies for web analytics. Learn More

Copyright 2021, LLC