You are viewing a plain text version of this content. The canonical link for it is here.
Posted to users@ws.apache.org by Pa...@emc.com on 2006/05/02 21:23:11 UTC
XML-RPC security question and Apache implementation
Hello,
Is the Apache implementation of XML-RPC patched in terms of the eval()
security hole?
Here is what I have read at the following site
http://www.us-cert.gov/cas/bulletins/SB05-271.html
<http://www.us-cert.gov/cas/bulletins/SB05-271.html>
"A vulnerability has been reported in XML-RPC due to insufficient
sanitization of certain XML tags that are nested in parsed documents being
used in an 'eval()' call, which could let a remote malicious user execute
arbitrary PHP code."
TIA,
-Don
Re: XML-RPC security question and Apache implementation
Posted by Adam Taft <ad...@hydroblaster.com>.
Apache's XML-RPC is a Java based implementation. The vulnerability in
question is PHP related only. Not seeing how this could be a problem.
Pannese_Donald@emc.com wrote:
> Hello,
>
> Is the Apache implementation of XML-RPC patched in terms of the eval()
> security hole?
>
> Here is what I have read at the following site
> http://www.us-cert.gov/cas/bulletins/SB05-271.html
> <http://www.us-cert.gov/cas/bulletins/SB05-271.html>
>
> "A vulnerability has been reported in XML-RPC due to insufficient
> sanitization of certain XML tags that are nested in parsed documents being
> used in an 'eval()' call, which could let a remote malicious user execute
> arbitrary PHP code."
>
> TIA,
> -Don
>