A recent worm, Lupper, is traversing the Internet and exploiting computers that run the XML-RPC package for PHP. The official XML-RPC for PHP homepage states that the package’s abuse of the PHP
eval function created a security hole that allowed remote execution of arbitrary code. This means that any systems that run PHP and a faulty XML-RPC for PHP installation can potentially be affected.
Unfortunately, articles such as XML-RPC Threatens Linux, Unix Systems suggest that the worm attacks “web applications that run on Linux and Unix systems.” The example article does not mention that worms, which exploit the XML-RPC for PHP fault, can potentially affect other operating systems as well. System administrators who are responsible for such systems should not overlook this security hole because of its incorrect association with another operating system.
A simplified abuse of the
eval function is presented below:
$arbitraryConsoleCommand='dir'; // or format c: $functionCallString="system($arbitraryConsoleCommand);"; eval( $functionCallString );