Slashdot Mirror

← Back to Stories (view on slashdot.org)

PHP Blogging Apps Open to XML-RPC Exploits

Posted by Zonk on from the batten-down-the-hatches dept.

miller60 writes "A bunch of popular PHP-based blogging and content management apps are vulnerable to a security hole in the PHP libraries handling XML-RPC, which could allow a server compromise. Affected apps include Wordpress, Drupal, PostNuke, Serendipity, phpAdsNew, phpWiki and many more. The presence of the security hole in a large number of programs is among the factors leading the Internet Storm Center to warn that the environment is ripe for a major Internet security event."

11 of 166 comments (clear)

  1. How is this a problem? by Anonymous Coward · · Score: 5, Funny

    A blog server compromise cannot possibly lead to worse content.

  2. Here's how by Anonymous Coward · · Score: 3, Funny

    It could lead to more blogs!

  3. Choice of words by Valacosa · · Score: 5, Funny

    "...major Internet security event."

    A euphemism if I've ever heard one. Can I think of a better euphemism?

    "Wardrobe malfunction"

    Ah, there it is.

    --
    "Live as if you'll die tomorrow." Ridiculous. You could die later today.
  4. Re:How long.. by Krankheit · · Score: 2, Funny

    A worm is not likely to be interested. Worms have a very simple nervous system (one "string"). Their motor skills are poor. Their central nervous system does not meet recommended requirements, but I am worried most that there is no keyboard compatible with worms. However, Google has developed a system to allow the pigeons they employ to use computers to rank search result relevence. A modified version could work with an earthworm.

    --
    Powered by caffeine and sugar; BSD
  5. I hear sirens. Wooo. Woooo. Woo wooo. by dotslashdot · · Score: 5, Funny

    The Internet Storm Center Reports that a high pressure coding flaw in PHP has created an error mass large enough to cause a rotation in sysadmin heads and has issued a red hat/flag Internet surf warning for all surfing sites.

  6. Re:Makes me happy by BoneFlower · · Score: 4, Funny

    Well, Perl tends to be invulnerable to PHP flaws in the vast majority of situations.

  7. i was hacked yesterday by larry+bagina · · Score: 2, Funny
    via this exploit. i was at my box (an old pentium II running gentoo, natch) when it happened. I heard the disk start thrashing and new something was wrong so i pulled the plug on it, before it could be turned into a spam-spewing zombie (or worse). If you don't have tripwire to verify nothing was trojaned, you should probably wipe your hard drive and reinstall.

    This appears to be the same exploit that hackers used on cowboyneal.org a few months back.

    --
    Do you even lift?

    These aren't the 'roids you're looking for.

    1. Re:i was hacked yesterday by Anonymous Coward · · Score: 2, Funny

      Let's think about this for a second.

      Pentium II.. Gentoo.. Wiped.

      Ouch. I wouldn't wanna' watch him reinstall that.

  8. Re:Don't want to bash PHP.... by KhaZ · · Score: 2, Funny

    The reason that noone's hacked the Perl equivs. is that not even the hackers want to code in Perl.

    (Jus' trolling. I'd write in BrainFuck over Perl.)

    --
    - - - -

    KickingDragon

  9. Re:Don't want to bash PHP.... by Mr2001 · · Score: 5, Funny

    BTW, suphp is my favorite way to check the overall status of an HP-UX system.

    # suphp
    Not much, runnin' some processes. 'Sup with you?

    --
    Visual IRC: Fast. Powerful. Free.
  10. Isn't it great... by It's+the+tripnaut! · · Score: 2, Funny

    ... that right above this article in /. is another article titled "Anatomy of a Hack" which basically describes how one can h4xx0r b0x3n?