[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: [Full-disclosure] Re: FD-V5-I5 [ GLSA 200507-01 ] PEAR XML-RPC, phpxmlrpc: PHP script injection vulnerability

To: Tony Dodd <tony@xxxxxxxxxxxxxxx>
Subject: Re: [Full-disclosure] Re: FD-V5-I5 [ GLSA 200507-01 ] PEAR XML-RPC, phpxmlrpc: PHP script injection vulnerability
From: Sebastian Nohn <sebastian@xxxxxxxx>
Date: Tue, 05 Jul 2005 13:47:06 +0200

Tony Dodd wrote:

There is talk from some people that simply upgrading phpxmlrpc will not suffice, and that you have to upgrade everything which uses it. Confusion abundant so to speak.

Anyone have any clarification on this?

If someone bundled a vulnerable package in his distribution, upgrading the original package does not help, you need to upgrade the bundled version also. The easiest way to do that is to upgrade the application that bundles the lib (given that the application developers provide an updated version).

Sebastian
_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/

References:
- [Full-disclosure] Re: FD-V5-I5 [ GLSA 200507-01 ] PEAR XML-RPC, phpxmlrpc: PHP script injection vulnerability
  - From: Tony Dodd

Prev by Date: [Full-disclosure] Re: FD-V5-I5 [ GLSA 200507-01 ] PEAR XML-RPC, phpxmlrpc: PHP script injection vulnerability
Next by Date: [Full-disclosure] ekg insecure temporary file creation and arbitrary code execution
Previous by thread: [Full-disclosure] Re: FD-V5-I5 [ GLSA 200507-01 ] PEAR XML-RPC, phpxmlrpc: PHP script injection vulnerability
Next by thread: [Full-disclosure] ekg insecure temporary file creation and arbitrary code execution
Index(es):
- Date
- Thread