Slashdot Mirror

← Back to Stories (view on slashdot.org)

PHP Blogging Apps Open to XML-RPC Exploits

Posted by Zonk on from the batten-down-the-hatches dept.

miller60 writes "A bunch of popular PHP-based blogging and content management apps are vulnerable to a security hole in the PHP libraries handling XML-RPC, which could allow a server compromise. Affected apps include Wordpress, Drupal, PostNuke, Serendipity, phpAdsNew, phpWiki and many more. The presence of the security hole in a large number of programs is among the factors leading the Internet Storm Center to warn that the environment is ripe for a major Internet security event."

7 of 166 comments (clear)

  1. How to patch PHP/PEAR by Anonymous Coward · · Score: 5, Informative

    From the command line:

    pear clear-cache
    pear upgrade XML_RPC

    1. Re:How to patch PHP/PEAR by ScytheBlade1 · · Score: 3, Informative

      Well that was easy.

      server bin # ./pear upgrade XML_RPC
      downloading XML_RPC-1.3.1.tgz ...
      Starting to download XML_RPC-1.3.1.tgz (25,310 bytes)
      .........done: 25,310 bytes
      upgrade ok: XML_RPC 1.3.1


  2. Question: does this effect phpbb? by RLiegh · · Score: 3, Informative

    God knows there's a ton of free (and probably poorly maintained) php boards out there.

    1. Re:Question: does this effect phpbb? by iamdrscience · · Score: 4, Informative

      No, PHPBB doesn't use either of the PHP XML RPC libraries that have been compromised because, well, PHPBB doesn't use XML at all.

  3. this is news? by xWastedMindx · · Score: 5, Informative

    wordpress released a fix for this on June 29. Changelog for 1.5.1.3

  4. Re:Don't want to bash PHP.... by EvilIdler · · Score: 4, Informative

    Thank goodness for suPHP:
    http://www.suphp.org/Home.html

    My host uses this, so I don't need world-readable files and directories in my
    ~/www/ directories for each site. The webserver may run as nobody, but the
    PHP scripts run as the same user I log in as to upload the files.

  5. Re:Makes me happy by Sepodati · · Score: 5, Informative

    I read the vulnerability which links to the sourceforge.net page that has the source code of this "library". It's a PHP script that you include() into other PHP scripts to use the functions/methods defined. The developer of this PHP script used eval() in an incorrect manner.

    Unless you have another article that shows the PHP XML-RPC Functions to be vulnerabile, this is not a PHP vulnerability.

    ---John Holmes...