PHP Blogging Apps Open to XML-RPC Exploits

← Back to Stories (view on slashdot.org)

PHP Blogging Apps Open to XML-RPC Exploits

Posted by Zonk on Monday July 4, 2005 @10:15AM from the batten-down-the-hatches dept.

miller60 writes "A bunch of popular PHP-based blogging and content management apps are vulnerable to a security hole in the PHP libraries handling XML-RPC, which could allow a server compromise. Affected apps include Wordpress, Drupal, PostNuke, Serendipity, phpAdsNew, phpWiki and many more. The presence of the security hole in a large number of programs is among the factors leading the Internet Storm Center to warn that the environment is ripe for a major Internet security event."

6 of 166 comments (clear)

Min score:

Reason:

Sort:

Makes me happy by orange+haired+boy · 2005-07-04 10:17 · Score: 3, Interesting

That I use Movable Type which won't be effected by this. Makes me sad that it's in PHP...since I love PHP. You can't have everything.

--
Blog: orange haired boy
1. Re:Makes me happy by 1110110001 · 2005-07-04 12:50 · Score: 3, Interesting
  
  Pear is part of PHP. You could use PHP without Pear but in most cases you would install both.
  
  What's sad is that a default lib makes such a bad mistake. It uses eval on a string that's generated from user input. It doesn't matter how good you check the user-input, there's always one way for the user to bypass them. Someone needs to review the pear-code for such stupid mistakes.
  
  b4n
Wouldn't This Be Called an XML Injection Attack? by DanielMarkham · 2005-07-04 10:22 · Score: 2, Interesting

I know when the same technique is used to compromise web sites with SQL in the back end it's called SQL injection. I guess this would be XML Injection? Or perhaps PHP Injection and XML is only the wrapper. XML Injection sounds cooler.

New wireless technology called XMax?
noticed something in my webserver logs by backslashdot · 2005-07-04 10:28 · Score: 2, Interesting

I saw a request for phpmyadmin/index.php in one of my web server logs on July 1st around 4 AM EDT ..

About 2 and a half hours ago i saw a request for phpmyadmin/index.php in my web server logs as well.

I dont have PHP or any forums installed ..and in the couple years my web server has been up (somewhat aporadically though) i havent seen this request (just grepped the logs).

So my opinion is that this attack is in the wild. Can someone confirm?
Don't want to bash PHP.... by afra242 · 2005-07-04 10:35 · Score: 3, Interesting

I really don't want to bash PHP - it seems flexible. However, after having people break into my server through phpBB and Gallery, I replaced those apps with their mod_perl equivalents, and things are working faster and more secure. Having said that, it was hard to find the Perl equivalents and even hard to find good support for it (ie. themes, etc). I'm still looking for a good Gallery replacement written in Perl.

Obviously, security issues aren't always the language but usually come from the people who write it. It just seems to me that, since PHP is more popular for writing forums, image galleries, etc, that there are a lot more careless coders out there coding in PHP.

phpBB is a good example of this. Every other week, they have some security issue.
1. Re:Don't want to bash PHP.... by Anonymous Coward · 2005-07-04 12:04 · Score: 2, Interesting
  
  I really don't want to bash PHP - it seems flexible.
  
  You should bash PHP. It's an awful language. I don't think I'd call it flexible. I might call Lisp flexible. Try sorting an array of objects by comparing a field from each object in PHP. Now try it in Ruby. But that's not important at the moment, after all, we all had to start somewhere.
  
  However, after having people break into my server through phpBB and Gallery, I replaced those apps with their mod_perl equivalents
  
  This has nothing to do with PHP itself. Your server is no more secure today than it was last week.
  
  The problem is a simple one: PHP is popular, so it attracts a lot of programmers. I would estimate that about 80% of all programmers (open-source or otherwise) are just incompetent, so phpBB, WordPress, etc., are written VERY poorly.
  
  phpBB is a good example of this. Every other week, they have some security issue.
  
  Again, it has NOTHING to do with the language. Take a look at phpBB's source code. Take a look at the code that contained the security hole patched recently:
  
  $message = str_replace('\"', '"', substr(@preg_replace('#(\>(((?>([^><]+|(?R)))*)\<) )#se', "@preg_replace('#\b(" . str_replace('\\', '\\\\', addslashes($highlight_match)) . ")\b#i', '<span style=\"color:#" . $theme['fontcolor3'] . "\"><b>\\\\ 1</b></span>', '\\0')", '>' . $message . '<'), 1, -1));
  
  phpBB is fulll of crap like that. This is what you're trusting your server security to. "Are you feeling lucky"?