Vulnerability affects PHP XML-RPC library

By | July 6, 2005 | PHP

4
  • Print
  • Print

Having just sent our upcoming book No Nonsense XML Web Development With PHP to print, I’m breathing a sigh of relief today as a widely-publicized security vulnerability has been found in a library we almost used in the book but didn’t.

PHP has a standard library for building and consuming Web Services using the XML-RPC communication protocol. That library is the one that is used by the examples in the book, and is not affected by the reported vulnerability.

Because this standard library is not enabled in a default PHP installation, many open source projects that require XML-RPC functionality have chosen to use an alternative library written entirely in PHP, which will run on most PHP configurations. Such alternatives include the PEAR XML-RPC module and the XML-RPC for PHP project. Both of these libraries are affected by the vulnerability.

Updated versions of these libraries are now available for download, and affected open source projects are quickly releasing advisories and updated versions to address the problem.

Written By:

Kevin Yank

Kevin began developing for the Web in 1995 and is a highly respected technical author. He wrote Build your own Database Driven Website using PHP and MySQL, a practical step-by-step guide published by SitePoint, and he's co-author of the SitePoint Tech Times, a bi-weekly newsletter for technically-minded web developers. Kev believes that any good webmaster should have seen at least one episode of MacGyver.

Website
>> More Posts By Kevin Yank

 

{ 4 comments }

Gaetano Giunta July 16, 2005 at 6:04 pm

May I only point out that the code in question dates circa 1999, long before the php core team had even dreamed about ‘register_blobals=BAD’.

Everybody is tighter on security as of 2005.

The only strange thing is nobody had ever found the breach before, given the wide exposure of the libs…

Clenard July 6, 2005 at 4:48 pm

Looking forward to this new book!

DaisyChain July 6, 2005 at 4:36 am

The new book sounds exiting!! When will it be released and are you able to say yet what topics its going to cover? I’m keen to start learning about pratical applications of XML.

Nico Edtinger July 6, 2005 at 4:32 am

May I take the quote out of the article “Eval i dead” from February (!): Rasmus: “If eval() is the answer, you’re almost certainly asking the wrong question.”

It’s here: http://www.sitepoint.com/blog-post-view.php?id=238381

So we already knew it before. And still they thought it would be easier to use eval() to decode. BTW both libs seem to come from the same code.

The solution is simple. Don’t use code that uses eval und code you don’t know exactly. If a string is generated from user input you can never know what the string’ll look like. Thus no one should use both libs as long as they only code around the problem instead of finding a replacment for the eval()

b4n

Comments on this entry are closed.