Pear XML_RPC versions <=1.3.0 and PHP XMLRPC versions <=1.0 are vulnerable to PHP remote code injection. The XML parser will pass user data contained within XML elements to PHP eval without sanitization.
- The attacker sends XML data in HTTP POST to the server. The XML element contains PHP command injection.
- The XML-RPC passes the XML element to PHP eval()--executing PHP code and providing the attacker with remote code execution.
The attacker must be able to send crafted packets to the target system.
Alert Logic Coverage
Alert Logic® has evaluated its customer base for exposure to the exploit and has developed signatures for mitigating the threat depending on the security service in place.
The Network-Based Intrusion Detection System (IDS) has been updated with the new signatures for this exploit when detected via Alert Logic Threat Manager™. If this signature is detected, an incident is generated in the Alert Logic console.
Recommendations for Mitigation
Upgrade to a non-vulnerable version to mitigate this vulnerability.