PCI コンプライアンスのセキュリティ メトリックでスキャンを実行しているときに、次のエラー メッセージが表示されます。これを解決する方法を知っている人はいますか?
*Title: vulnerable web program (phpRPC) Impact: A remote attacker could execute arbitrary commands, create or overwrite files, or view files or directories on the web server.
Data Sent: POST /ie/modules/phpRPC/server.php HTTP/1.0
Host: example.com
Content-type: text/xml Content-Length:162 <?xml version="1.0"?> <methodCall> <methodName>test.method</methodName> <params> <param> <value><base64>'));system(id);exit; </param> </params> </methodCall>
Data Received: ????<img height="1" width="1" style="border- style:none;" alt="" src="//googleads.g.doubleclick.net/p agead/viewthroughconversion/997970389/?value=0&label=PlcJCKu92AQ Q1aPv2wM&guid=ON&script=0"/>
Resolution: 03/09/06 CVE 2006-1032 phpRPC is an xmlrpc library that uses database and rpc-protocol abstraction. It is prone to a remote code execution vulnerability because the decode() function within the rpc_decoder.php script fails to adequately sanitize user-supplied input before processing it in an eval() call.
Successful exploitation would result in arbitrary code execution in the context of the application. PHP scripts that implement the phpRPC library, such as RunCMS, are affected by this issue. RunCMS 1.1 through 1.3.a5 are affected, as is phpRPC up to 0.7.
Resolution: phpRPC is not currently being maintained. RunCMS users should upgrade to a version higher than 1.3.a5 which will hopefully include a fix.
Risk Factor: High/ CVSS2 Base Score: 7.5 (AV:N/AC:L/Au:N/C:P/I:P/A:P) CVE: CVE-2006-1032 BID: 16833 [Less]*