This issue was discovered by Stefan Esser: This time it is not an escaping issue, but a logical error that allows an attacker to nest XML tags in a way, that a single doublequote will be appended to the eval string. The next string tag will add another doublequote, then the string data and a closing doublequote. It should be obvious that this means the stringdata is not handled as string but as actual code due to this.
This issue should also affect RHEL3
This issue is now public: http://marc.theaimsgroup.com/?l=full-disclosure&m=112410998530016&w=2
An advisory has been issued which should help the problem described in this bug report. This report is therefore being closed with a resolution of ERRATA. For more information on the solution and/or where to find the updated files, please follow the link below. You may reopen this bug report if the solution does not work for you. http://rhn.redhat.com/errata/RHSA-2005-748.html