FreshPorts - VuXML

This page displays vulnerability information about FreeBSD Ports.

The last vuln.xml file processed by FreshPorts is:

Revision:  318877
Date:      2013-05-23
Time:      15:30:07Z
Committer: flo

List all Vulnerabilities, by package

List all Vulnerabilities, by date

These are the vulnerabilities relating to the commit you have selected:

VuXML IDDescription
e65ad1bf-0d8b-11da-90d0-00304823c0d3pear-XML_RPC -- remote PHP code injection vulnerability

A Hardened-PHP Project Security Advisory reports:

When the library parses XMLRPC requests/responses, it constructs a string of PHP code, that is later evaluated. This means any failure to properly handle the construction of this string can result in arbitrary execution of PHP code.

This new injection vulnerability is cause by not properly handling the situation, when certain XML tags are nested in the parsed document, that were never meant to be nested at all. This can be easily exploited in a way, that user-input is placed outside of string delimiters within the evaluation string, which obviously results in arbitrary code execution.

Note that several applications contains an embedded version on XML_RPC, therefor making them the vulnerable to the same code injection vulnerability.


Discovery 2005-08-15
Entry 2005-08-15
Modified 2005-09-04
pear-XML_RPC
lt 1.4.0

phpmyfaq
lt 1.4.11

drupal
lt 4.6.3

eGroupWare
lt 1.0.0.009

phpAdsNew
lt 2.0.5

phpgroupware
lt 0.9.16.007

b2evolution
lt 0.9.0.12_2

CVE-2005-2498
http://b2evolution.net/news/2005/08/31/fix_for_xml_rpc_vulnerability_again_1
http://downloads.phpgroupware.org/changelog
http://drupal.org/files/sa-2005-004/advisory.txt
http://phpadsnew.com/two/nucleus/index.php?itemid=45
http://sourceforge.net/project/shownotes.php?release_id=349626
http://www.hardened-php.net/advisory_142005.66.html
http://www.hardened-php.net/advisory_152005.67.html
http://www.phpmyfaq.de/advisory_2005-08-15.php
e65ad1bf-0d8b-11da-90d0-00304823c0d3pear-XML_RPC -- remote PHP code injection vulnerability

A Hardened-PHP Project Security Advisory reports:

When the library parses XMLRPC requests/responses, it constructs a string of PHP code, that is later evaluated. This means any failure to properly handle the construction of this string can result in arbitrary execution of PHP code.

This new injection vulnerability is cause by not properly handling the situation, when certain XML tags are nested in the parsed document, that were never meant to be nested at all. This can be easily exploited in a way, that user-input is placed outside of string delimiters within the evaluation string, which obviously results in arbitrary code execution.

Note that several applications contains an embedded version on XML_RPC, therefor making them the vulnerable to the same code injection vulnerability.


Discovery 2005-08-15
Entry 2005-08-15
Modified 2005-09-04
pear-XML_RPC
lt 1.4.0

phpmyfaq
lt 1.4.11

drupal
lt 4.6.3

eGroupWare
lt 1.0.0.009

phpAdsNew
lt 2.0.5

phpgroupware
lt 0.9.16.007

b2evolution
lt 0.9.0.12_2

CVE-2005-2498
http://b2evolution.net/news/2005/08/31/fix_for_xml_rpc_vulnerability_again_1
http://downloads.phpgroupware.org/changelog
http://drupal.org/files/sa-2005-004/advisory.txt
http://phpadsnew.com/two/nucleus/index.php?itemid=45
http://sourceforge.net/project/shownotes.php?release_id=349626
http://www.hardened-php.net/advisory_142005.66.html
http://www.hardened-php.net/advisory_152005.67.html
http://www.phpmyfaq.de/advisory_2005-08-15.php
523fad14-eb9d-11d9-a8bd-000cf18bbe54pear-XML_RPC -- arbitrary remote code execution

GulfTech Security Research Team reports:

PEAR XML_RPC is vulnerable to a very high risk php code injection vulnerability due to unsanatized data being passed into an eval() call.


Discovery 2005-06-29
Entry 2005-07-03
pear-XML_RPC
lt 1.3.1

CVE-2005-1921
http://www.gulftech.org/?node=research&article_id=00087-07012005
http://www.hardened-php.net/advisory-022005.php
b64481d9-eff4-11d9-8310-0001020eed82pear-XML_RPC -- information disclosure vulnerabilities

The pear-XML_RPC release notes reports that the following issues has been fixed:

Eliminate path disclosure vulnerabilities by suppressing error messages when eval()'ing.

Eliminate path disclosure vulnerability by catching bogus parameters submitted to XML_RPC_Value::serializeval().


Discovery 2005-07-07
Entry 2005-07-08
pear-XML_RPC
lt 1.3.2

http://pear.php.net/package/XML_RPC/download/1.3.2
b64481d9-eff4-11d9-8310-0001020eed82pear-XML_RPC -- information disclosure vulnerabilities

The pear-XML_RPC release notes reports that the following issues has been fixed:

Eliminate path disclosure vulnerabilities by suppressing error messages when eval()'ing.

Eliminate path disclosure vulnerability by catching bogus parameters submitted to XML_RPC_Value::serializeval().


Discovery 2005-07-07
Entry 2005-07-08
pear-XML_RPC
lt 1.3.2

http://pear.php.net/package/XML_RPC/download/1.3.2
523fad14-eb9d-11d9-a8bd-000cf18bbe54pear-XML_RPC -- arbitrary remote code execution

GulfTech Security Research Team reports:

PEAR XML_RPC is vulnerable to a very high risk php code injection vulnerability due to unsanatized data being passed into an eval() call.


Discovery 2005-06-29
Entry 2005-07-03
pear-XML_RPC
lt 1.3.1

CVE-2005-1921
http://www.gulftech.org/?node=research&article_id=00087-07012005
http://www.hardened-php.net/advisory-022005.php