ws-users mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From Adam Taft <a...@hydroblaster.com>
Subject Re: XML-RPC security question and Apache implementation
Date Tue, 02 May 2006 19:41:00 GMT

Apache's XML-RPC is a Java based implementation.  The vulnerability in 
question is PHP related only.  Not seeing how this could be a problem.


Pannese_Donald@emc.com wrote:
> Hello,
> 
> Is the Apache implementation of XML-RPC patched in terms of the eval()
> security hole?
> 
> Here is what I have read at the following site
> http://www.us-cert.gov/cas/bulletins/SB05-271.html
> <http://www.us-cert.gov/cas/bulletins/SB05-271.html> 
> 
> "A vulnerability has been reported in XML-RPC due to insufficient
> sanitization of certain XML tags that are nested in parsed documents being
> used in an 'eval()' call, which could let a remote malicious user execute
> arbitrary PHP code."
> 
> TIA,
> -Don
> 



Mime
View raw message