"[2] that leads to remote code execution. Unfortunately, this vulner-ability also exists in the PEAR XMLRPC implementation, and GulfTech somewhat
neglected to notify the vendors in question."This is a very unfair statement as I did my best to hunt down everyone using the vulnerable libraries. Both the PEAR guys and the PHPXMLRPC guys were contacted several days ago, and I also took the time to personally contact everyone I could find using the vulnerable XMLRPC libraries. I think it would be impossible for anyone to hunt down every application using these libraries.
In regards to the vulnerabilities: No technical details will be released by GulfTech until both libraries are updated because the holes are identical and it would cause more harm than good. Anyone using either vulnerable library should visit the official website pertaining to the library and download any updated version. Again, technical details of the vulnerabilities in these two libraries will be released in the future.
James Christopher Kunz wrote:
Hardened PHP Project www.hardened-php.net -= Security Advisory =- Advisory: Remote code execution in Serendipity Release Date: 2005/06/29 Last Modified: 2005/06/29 Author: Christopher Kunz <christopher.kunz@xxxxxxxxxxxxxxxx> Application: Serendipity <= 0.8.2 Severity: Arbitrary remote code execution Risk: Very High Vendor Status: Vendor has released an updated version References: http://www.hardened-php.net/advisory-022005.php Overview: Quote from http://www.s9y.org/:"Serendipity is a weblog/blog system, implemented with PHP. It is standardscompliant, feature rich and open source (BSD License). Serendipity isconstantly under active development, with a team of talented developerstrying to make the best PHP powered blog on the net." Details: