ws-users mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From Pannese_Don...@emc.com
Subject RE: XML-RPC security question and Apache implementation
Date Tue, 02 May 2006 20:19:07 GMT
Ok, I was wrong reference the eval() problem because as you pointed out that
is only PHP but according to the patch at the sourceforge link below the
Java security hole allows for assessing of methods. So I was just wondering
if the Apache implementation patched this problem.

Here is a snippet from the patch:
"A security fix which prevents remote systems from accessing methods on
Object ('notify', 'wait', 'hashCode', etc.) and other classes..."
Here is the link:

http://xmlrpc-c.sourceforge.net/hacks/helma-xmlrpc-introspection.diff

Thanks again

-----Original Message-----
From: Adam Taft [mailto:adam@hydroblaster.com] 
Sent: Tuesday, May 02, 2006 3:41 PM
To: xmlrpc-user@ws.apache.org
Subject: Re: XML-RPC security question and Apache implementation


Apache's XML-RPC is a Java based implementation.  The vulnerability in 
question is PHP related only.  Not seeing how this could be a problem.


Pannese_Donald@emc.com wrote:
> Hello,
> 
> Is the Apache implementation of XML-RPC patched in terms of the eval()
> security hole?
> 
> Here is what I have read at the following site
> http://www.us-cert.gov/cas/bulletins/SB05-271.html
> <http://www.us-cert.gov/cas/bulletins/SB05-271.html> 
> 
> "A vulnerability has been reported in XML-RPC due to insufficient
> sanitization of certain XML tags that are nested in parsed documents being
> used in an 'eval()' call, which could let a remote malicious user execute
> arbitrary PHP code."
> 
> TIA,
> -Don
> 


Mime
View raw message