freelanceprogrammers.org Forum Index » PHP

View previous topic :: View next topic
Post new topic   Reply to topic

PHP hit by another critical flaw.


View user's profile Post To page top
thik18 Posted: Thu Sep 01, 2005 3:45 pm


Joined: 31 Aug 2005

Posts: 10
PHP hit by another critical flaw.
Hi,
An Article About PHP.
Please read it.
*A fresh security flaw has surfaced in widespread Web service protocol PHP
which could allow attackers to take control of vulnerable servers.

The bug was found in XML-RPC For PHP and PEAR XML_RPC as the result of a
security audit by the Hardened-PHP project. The group said it decided to
carry out its own audit after other flaws were disclosed in the two
libraries earlier this summer.


The new bug takes advantage of a technique similar to the earlier bugs,
involving eval() statements, Hardened-PHP said. "To get rid of this and
future eval() injection vulnerabilities, the Hardened-PHP Project has
developed together with the maintainers of both libraries a fix that
completely eliminates the use of eval() from the library," the project said
in its advisory.

XML-based RPC (Remote Procedure Call) systems such as XML-RPC are used with
HTTP to power Web services, a simple and increasingly popular way of
providing services online. XML-RPC For PHP (also called PHPXMLRPC) and PEAR
XML_RPC implement XML-RPC for the PHP scripting language.

The bug affects a large number of Web applications, particularly PHP-based
blogging, wiki and content management programs, according to security
experts. The PHPXMLRPC and PEAR XML_RPC libraries is used in many popular
Web applications such as PostNuke, Drupal, b2evolution and TikiWiki.

Content-management systems and blogs are increasingly used by large
corporations as a way of interacting with customers and the public - IBM
even jumped into the enterprise blogging game recently.

Version 1.4.0 of PEAR XML_RPC fixes the problem, and is available from the
PEAR website.

PHPXMLRPC is fixed with version 1.2, available from the PHPXMLRPC project
site.

Software projects using the libraries have issued their own updates fixing
the problem; among these are the PHP packages included with the Red Hat and
Ubuntu Linux distributions.

FrSIRT, the French Security Incident Response Team, gave the flaw a
"high-risk" rating and independent security firm Secunia said it was "highly
critical".*
**
*Tamil*


[Non-text portions of this message have been removed]
Reply with quote
Send private message
Post new topic Reply to topic
Display posts from previous:   
freelanceprogrammers.org Forum Index » PHP
 

All times are GMT
Page 1 of 1
You cannot post new topics in this forum
You cannot reply to topics in this forum
You cannot edit your posts in this forum
You cannot delete your posts in this forum
You cannot vote in polls in this forum
Freelace Website Designer - Customer web design and software building.
China Wholesale - Electronics Products
Character Studio - Tutorials and Help