Web Service Protocol Security Vulnerabilities

Two Security Vulnerabilities discovered in a Web service protocol may allow attackers to control vulnerable servers.

The vulnerabilities found in XML-RPC For PHP and PEAR XML_RPC affect a large number of Web applications, according to a security bulletin from GulfTech, the company that found the vulnerability.

XML-based Remote Procedure Call (RPC) systems, such as XML-RPC, work together with HTTP to drive Web services. XML-RPC For PHP and PEAR XML_RPC are used to implement XML-RPC For the PHP scripting language.

According to GulfTech, this protocol is called PHPXMLRPC and is used in many popular Web applications, such as PostNuke, Drupal, b2evolution, and TikiWiki.

GulfTech said: "PHPXMLRPC has a very dangerous PHP code execution vulnerability that may allow attackers to destroy vulnerable Web servers ."

GulfTech says the vulnerability is caused by an eval () call to the parseRequest () function of the XMLRPC server that the component fails to normally inspect. By creating an XML file that uses single quotes to access eval () calls, attackers can easily execute PHP code on the target server.

The latest PHPXMLRPC version has solved this problem. For applications that use this component, such as eGroupWare and phpGroupWare, the security vendor Secunia recommends limiting access to the XML-RPC functionality.

According to Gulftech, the vulnerability in PEAR XML_RPC is related to the vulnerability in PHPXMLRPC. However, the vulnerability may damage vulnerable servers. The new version 1.3.1 has solved this problem.