phpxmlrpc icon indicating copy to clipboard operation
phpxmlrpc copied to clipboard

Published 20 hours ago verified publisher icon gggeek

Vulnerability detected CWE ID 95 in version 4.2.0

Open TatianaGarcia94 opened this issue 4 years ago • 3 comments
trafficstars

En la ruta: /src/Wrapper.php 1069 Nombre de la vulnerabilidad: Improper Neutralization of Directives in Dynamically Evaluated Code ('Eval Injection')

TatianaGarcia94 avatar Mar 18 '21 16:03 TatianaGarcia94

Can you share some more details about the scanner used to generate such warning, and its configuration? I am fully aware that the code uses the eval function, but the context is quite bounded, so there is probably no risk for your application (by default no code from the library makes uses of the Wrapper class - the only way to use it is for you to use it in your own code, or if you already have a php code-injection problem somewhere else)

gggeek avatar Mar 18 '21 17:03 gggeek

@TatianaGarcia94 no feedback?

gggeek avatar Mar 22 '21 21:03 gggeek

Estimado, El análisis realizado fue un análisis estático, a través del cuál se detectó la línea mencionada. Según los estándares de seguridad, se detectó esta línea como vulnerabilidad Improper Neutralization of Directives in Dynamically Evaluated Code ('Eval Injection')

TatianaGarcia94 avatar Mar 23 '21 16:03 TatianaGarcia94

PS: The only part of the php code which is evaluated in line 1069 that comes from an untrusted source is sanitized via this call:

$opts['new_function_name'] = preg_replace(array('/\./', '/[^a-zA-Z0-9_\x7f-\xff]/'), array('_', ''), $mName);

I think that is sufficiently safe - unless there are attacks at play based which would fool preg_replace, which I have not heard about. Note that $mName is guaranteed to be an utf8 stream, unless the developer has gone out of its way to change the value of PhpXmlRpc::$xmlrpc_internalencoding before calling wrapXmlrpcServer

gggeek avatar Nov 24 '22 18:11 gggeek

In the end, I found another place where untrusted data was used to generate php code, sadly without appropriate sanitization being applied. This has now been fixed.

Detailed explanation of the specific conditions in which this issue might be abused are in https://github.com/gggeek/phpxmlrpc/releases/tag/4.9.0

Thanks for reporting this - and sorry for taking so long to fix it. I did underestimate the reported security-related tickets because there was little information provided regarding the exact problem scenario / underlying issue, and the reports seemed to come from an automated scanner tool, run without any verification of its findings, and my own experience that leads usually to a large number of false positives.

gggeek avatar Nov 28 '22 10:11 gggeek