cbcvebase.
CVE-2005-1921
published 2005-07-05

CVE-2005-1921: Eval injection vulnerability in PEAR XML_RPC 1.3.0 and earlier (aka XML-RPC or xmlrpc) and PHPXMLRPC (aka XML-RPC For PHP or php-xmlrpc) 1.1 and earlier, as…

PriorityP263high7.5CVSS 2.0
AVNACLAuNCPIPAP
EXPLOIT
EPSS
79.07%
99.5th percentile
Eval injection vulnerability in PEAR XML_RPC 1.3.0 and earlier (aka XML-RPC or xmlrpc) and PHPXMLRPC (aka XML-RPC For PHP or php-xmlrpc) 1.1 and earlier, as used in products such as (1) WordPress, (2) Serendipity, (3) Drupal, (4) egroupware, (5) MailWatch, (6) TikiWiki, (7) phpWebSite, (8) Ampache, and others, allows remote attackers to execute arbitrary PHP code via an XML file, which is not properly sanitized before being used in an eval statement.

Affected

7 ranges
VendorProductVersion rangeFixed in
debiandebian_linux
drupaldrupal< 4.5.44.5.4
drupaldrupal>= 4.6.0 < 4.6.24.6.2
gggeekphpxmlrpc<= 1.1
gggeekphpxmlrpc<= 1.1.1
phpxml_rpc<= 1.3.0
tikitikiwiki_cms_groupware< 1.8.51.8.5

Detection & IOCsextracted from sources · hover to see the quote

  • Detect HTTP POST requests to xmlrpc.php containing eval-injection payloads: look for single-quote escape sequences followed by PHP function calls (e.g., passthru, system, phpinfo) and comment terminators (//) in the POST body targeting the XML-RPC string parameter field.
  • The exploit payload encodes the command as a chain of chr() calls joined by dots to bypass filtering; detect POST bodies to xmlrpc.php matching the pattern chr(\d+)\.chr(\d+) inside a passthru() or similar call.
  • magic_quotes_gpc does not apply to $HTTP_RAW_POST_DATA, so single-quote injection in raw POST XML bodies is not sanitized; monitor for unescaped single quotes in XML-RPC POST data as an evasion indicator.
  • Metasploit module php_xmlrpc_eval (unix/webapp/php_xmlrpc_eval) is the canonical exploit module; correlate IDS/WAF logs for this module name or its characteristic random-alphanumeric wrapper strings surrounding command output in HTTP responses.
  • Detect the exploit check probe: HTTP POST to xmlrpc.php whose response body contains the literal string 'ownable', indicating active vulnerability scanning with the Metasploit module.
  • Look for the sentinel strings '_begin_' and '_end_' in HTTP responses from xmlrpc.php, used by the dukenn exploit to delimit command output.
  • ·The vulnerability affects PEAR XML_RPC 1.3.0 and earlier AND PHPXMLRPC 1.1 and earlier; both libraries must be patched independently as they are separate codebases bundled into many applications (WordPress, Drupal, Serendipity, TikiWiki, etc.).
  • ·The payload space is limited to 512 bytes in the Metasploit module; longer payloads delivered via chr()-encoding chains may exceed this and fail silently.

CVSS provenance

nvdv2.07.5HIGHAV:N/AC:L/Au:N/C:P/I:P/A:P
vendor_redhat7.5HIGH
CVEs like this are exactly what “Exploited This Week” covers.

Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.