Jump to content
  • Checkout
  • Login
  • Get in touch


The e-commerce.

Does this effect osCommerce


Recommended Posts

Below is an advisory posted on the Hardened PHP Project website. Does this vulnerability effect osCommerce code? Should this be something that we need to discuss with our hosting providers?




Hash: SHA1



                        Hardened-PHP Project



                      -= Security  Advisory =-



    Advisory: PEAR XML_RPC Remote PHP Code Injection Vulnerability

Release Date: 2005/08/15

Last Modified: 2005/08/15

      Author: Stefan Esser [sesser@hardened-php.net]


  Application: PEAR XML_RPC <= 1.3.3

    Severity: A malformed XMLRPC request can result in execution

              of arbitrary injected PHP code

        Risk: Critical

Vendor Status: Vendor has released an updated version

  References: http://www.hardened-php.net/advisory_142005.66.html





  PEAR XML_RPC is the PEAR-ified version of Useful Inc's XML-RPC

  for PHP, which is a PHP implementation of the XML-RPC protocol.

  It has support for HTTP transport, proxies and authentication.


  After Gulftech released their PHP code injection advisory in the

  end of June 2005 we sheduled the code for an audit from our side.

  Unfortunately we were able to find another vulnerability in the

  XML-RPC libraries that allows injection of arbitrary PHP code

  into eval() statements.


  Unlike the last vulnerability this is not caused by wrongly

  implemented escaping of the user input, but by an improper handling

  of XMLRPC requests and responses that are malformed in a certain



  To get rid of this and future eval() injection vulnerabilities, the

  Hardened-PHP Project has developed together with the maintainers

  of both libraries a fix that completely eliminates the use of

  eval() from the library.





  When the library parses XMLRPC requests/repsonses, it constructs

  a string of PHP code, that is later evaluated. This means any

  failure to properly handle the construction of this string can

  result in arbitrary execution of PHP code.


  In late June a problem was discovered, that certain XML tags where

  using single quotes around embedded user input and single quotes

  where not escaped. This allowed a typical injection attack. While

  all these escaping problems were believed to be fixed, I was able

  to find another problems, that allows injection of arbitrary code.


  This new injection vulnerability is cause by not properly handling

  the situation, when certain XML tags are nested in the parsed

  document, that were never meant to be nested at all. This can be

  easily exploited in a way, that user-input is placed outside of

  string delimiters within the evaluation string, which obviously

  results in arbitrary code execution.


  Therefore we have added a XML tag nesting verification into the

  code and additionally removed all call to eval(). Therefore the

  resulting patch eliminates the current and the possibility for

  future eval() holes. Additionally this means from the diff

  between a vulnerable and a not vulnerable version it is not

  possible to find the position of the flaw easily.



CVE Information:


  The Common Vulnerabilities and Exposures project (cve.mitre.org)

  has assigned the name CAN-2005-2498 to this vulnerability.



Proof of Concept:


  The Hardened-PHP Project is not going to release an exploit for

  this vulnerability to the public.



Disclosure Timeline:


  22. July  2005 - Contact with both library vendors established.

                    Issue is discussed and a patch that eliminates

      the use of eval() is developed, improved and


  12. August 2005 - Affected applications are contacted and asked

                    for beta test of the patches.

  14. August 2005 - Vendors release bugfixed versions, after

                    information about this vulnerability leaked

      through one of the affected applications to

      the public.

  15. August 2005 - Public disclosure





  We strongly recommend to upgrade to the vendor supplied new

  version, that completely eliminates all calls to eval().


      PEAR XML_RPC 1.4.0



  You can also upgrade XML_RPC with the pear commandline client,

  but because this uses a XML_RPC connection to retrieve the data

  it is not recommended.







  pub  1024D/0A864AA1 2004-04-17 Hardened-PHP Signature Key

  Key fingerprint = 066F A6D0 E57E 9936 9082  7E52 4439 14CC 0A86 4AA1



Copyright 2005 Stefan Esser / Hardened-PHP Project. All rights reserved.



Version: GnuPG v1.0.6 (GNU/Linux)

Comment: For info see http://www.gnupg.org






Link to comment
Share on other sites

I do not see how the xml tags could affect the php "constant" compatibility oscommerce uses or the newsletter settings through the admin (default core) regarding the eval function.


Now regarding contributions that's a different matter.

Link to comment
Share on other sites


This topic is now archived and is closed to further replies.

  • Create New...