+++ This bug was initially created as a clone of Bug #165846 +++ This issue was discovered by Stefan Esser: This time it is not an escaping issue, but a logical error that allows an attacker to nest XML tags in a way, that a single doublequote will be appended to the eval string. The next string tag will add another doublequote, then the string data and a closing doublequote. It should be obvious that this means the stringdata is not handled as string but as actual code due to this.
This issue should also affect FC3
This issue is now public: http://marc.theaimsgroup.com/?l=full-disclosure&m=112410998530016&w=2
From User-Agent: XML-RPC freeradius-1.0.1-2.FC3.1 has been pushed for FC3, which should resolve this issue. If these issues are still present in this version, then please re-open this bug.
From User-Agent: XML-RPC php-4.3.11-2.7 has been pushed for FC3, which should resolve this issue. If these issues are still present in this version, then please re-open this bug.
From User-Agent: XML-RPC php-5.0.4-10.4 has been pushed for FC4, which should resolve this issue. If these issues are still present in this version, then please re-open this bug.