A highly critical vulnerability has been found in XML-Remote Procedure Call
The flaw could allow an attacker to take control of a vulnerable Web server.
Open source projects and Linux vendors alike have issued advisories and updates and the SANS Internet Storm Center has warned that the flaw could trigger an epidemic.
XML-RPC is set of implementations based on a specification originally drafted by Dave Winer, who’s credited with creating RSS
The vulnerability has been found in PHP
The XML-RPC implementations are at a “very high risk” from the PHP code execution vulnerability according to security firm GulfTech Research, which reported the flaw late last week.
GulfTech Research said “the vulnerability is the result of unsanatized data being passed directly into an eval() call in the parseRequest() function of the XMLRPC server.”
GulfTech’s advisory goes on to note that can attacker could easily execute exploit PHP code on the target server by creating an XML file that includes single quotes in order to escape into the eval() call.
PEAR and PHPXMLRPC have issued updates to fix the issue. Various blog, Wikis and Content Management Systems (CMS) that utilize the XML-RPC libraries have issued advisories to their users to update as well. Among the many affected programs are Serendipity, phpAdsNew, phpWiki, PostNuke, WordPress, Drupal, phpMyFAQ, b2evolution, TikiWiki. phpGroupWare and BLOG:CMS.