Slashdot Mirror

← Back to Stories (view on slashdot.org)

PHP Blogging Apps Open to XML-RPC Exploits

Posted by Zonk on Monday July 4, 2005 @10:15AM from the batten-down-the-hatches dept.

miller60 writes "A bunch of popular PHP-based blogging and content management apps are vulnerable to a security hole in the PHP libraries handling XML-RPC, which could allow a server compromise. Affected apps include Wordpress, Drupal, PostNuke, Serendipity, phpAdsNew, phpWiki and many more. The presence of the security hole in a large number of programs is among the factors leading the Internet Storm Center to warn that the environment is ripe for a major Internet security event."

3 of 166 comments (clear)

Min score:

Reason:

Sort:

How to patch PHP/PEAR by Anonymous Coward · 2005-07-04 10:16 · Score: 5, Informative

From the command line:

pear clear-cache
pear upgrade XML_RPC
this is news? by xWastedMindx · 2005-07-04 10:21 · Score: 5, Informative

wordpress released a fix for this on June 29. Changelog for 1.5.1.3
Re:Makes me happy by Sepodati · 2005-07-04 12:47 · Score: 5, Informative

I read the vulnerability which links to the sourceforge.net page that has the source code of this "library". It's a PHP script that you include() into other PHP scripts to use the functions/methods defined. The developer of this PHP script used eval() in an incorrect manner.

Unless you have another article that shows the PHP XML-RPC Functions to be vulnerabile, this is not a PHP vulnerability.

---John Holmes...