[Cialug] Fw: [php-objects] PHP hit by another critical flaw.

Ralph Kessel kesselr1 at mchsi.com
Fri Sep 2 09:35:52 CDT 2005 

----- Original Message ----- 
From: Tamil Selvan 
To: php-people at yahoogroups.co.in ; php-objects at yahoogroups.com 
Sent: Thursday, September 01, 2005 5:45 AM
Subject: [php-objects] PHP hit by another critical flaw.


Hi,
An Article About PHP.
Please read it.
*A fresh security flaw has surfaced in widespread Web service protocol PHP 
which could allow attackers to take control of vulnerable servers.

The bug was found in XML-RPC For PHP and PEAR XML_RPC as the result of a 
security audit by the Hardened-PHP project. The group said it decided to 
carry out its own audit after other flaws were disclosed in the two 
libraries earlier this summer. 


The new bug takes advantage of a technique similar to the earlier bugs, 
involving eval() statements, Hardened-PHP said. "To get rid of this and 
future eval() injection vulnerabilities, the Hardened-PHP Project has 
developed together with the maintainers of both libraries a fix that 
completely eliminates the use of eval() from the library," the project said 
in its advisory.

XML-based RPC (Remote Procedure Call) systems such as XML-RPC are used with 
HTTP to power Web services, a simple and increasingly popular way of 
providing services online. XML-RPC For PHP (also called PHPXMLRPC) and PEAR 
XML_RPC implement XML-RPC for the PHP scripting language.

The bug affects a large number of Web applications, particularly PHP-based 
blogging, wiki and content management programs, according to security 
experts. The PHPXMLRPC and PEAR XML_RPC libraries is used in many popular 
Web applications such as PostNuke, Drupal, b2evolution and TikiWiki.

Content-management systems and blogs are increasingly used by large 
corporations as a way of interacting with customers and the public - IBM 
even jumped into the enterprise blogging game recently.

Version 1.4.0 of PEAR XML_RPC fixes the problem, and is available from the 
PEAR website.

PHPXMLRPC is fixed with version 1.2, available from the PHPXMLRPC project 
site.

Software projects using the libraries have issued their own updates fixing 
the problem; among these are the PHP packages included with the Red Hat and 
Ubuntu Linux distributions.

FrSIRT, the French Security Incident Response Team, gave the flaw a 
"high-risk" rating and independent security firm Secunia said it was "highly 
critical".*
** 
*Tamil*


[Non-text portions of this message have been removed]



PHP Data object relational mapping generator - http://www.meta-language.net/ 



SPONSORED LINKS Php developer  Basic programming language  Computer programming languages  
      Programming languages  Object oriented programming tutorial  Java programming language  


--------------------------------------------------------------------------------
YAHOO! GROUPS LINKS 

  a..  Visit your group "php-objects" on the web.
    
  b..  To unsubscribe from this group, send an email to:
   php-objects-unsubscribe at yahoogroups.com
    
  c..  Your use of Yahoo! Groups is subject to the Yahoo! Terms of Service. 


--------------------------------------------------------------------------------

-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://cialug.org/pipermail/cialug/attachments/20050902/5ecccca1/attachment.html

More information about the Cialug mailing list