PHP Blogging Apps Open to XML-RPC Exploits

miller60 writes "A bunch of popular PHP-based blogging and content management apps are vulnerable to a security hole in the PHP libraries handling XML-RPC, which could allow a server compromise. Affected apps include Wordpress, Drupal, PostNuke, Serendipity, phpAdsNew, phpWiki and many more. The presence of the security hole in a large number of programs is among the factors leading the Internet Storm Center to warn that the environment is ripe for a major Internet security event."

How to patch PHP/PEAR

From the command line:

pear clear-cache
pear upgrade XML_RPC

Re:How to patch PHP/PEAR

[ScytheBlade1]

Well that was easy.

server bin # ./pear upgrade XML_RPC
downloading XML_RPC-1.3.1.tgz ...
Starting to download XML_RPC-1.3.1.tgz (25,310 bytes)
.........done: 25,310 bytes
upgrade ok: XML_RPC 1.3.1

Makes me happy

[orange+haired+boy]

That I use Movable Type which won't be effected by this. Makes me sad that it's in PHP...since I love PHP. You can't have everything.

Re:Makes me happy

[BoneFlower]

Well, Perl tends to be invulnerable to PHP flaws in the vast majority of situations.

Re:Makes me happy

[Sepodati]

Makes me sad that it's in PHP...since I love PHP
This isn't a PHP vulnerability. It's another poorly written, widely used application that's vulernable because the developer fails to check external input. The vulnerability is in a PHP script that someone has written. It could have been written in any langauge; the fault is on the developer, not PHP.

---John Holmes...

Re:Makes me happy

[Sepodati]

I read the vulnerability which links to the sourceforge.net page that has the source code of this "library". It's a PHP script that you include() into other PHP scripts to use the functions/methods defined. The developer of this PHP script used eval() in an incorrect manner.

Unless you have another article that shows the PHP XML-RPC Functions to be vulnerabile, this is not a PHP vulnerability.

---John Holmes...

Re:Makes me happy

[1110110001]

Pear is part of PHP. You could use PHP without Pear but in most cases you would install both.

What's sad is that a default lib makes such a bad mistake. It uses eval on a string that's generated from user input. It doesn't matter how good you check the user-input, there's always one way for the user to bypass them. Someone needs to review the pear-code for such stupid mistakes.

b4n

Question: does this effect phpbb?

[RLiegh]

God knows there's a ton of free (and probably poorly maintained) php boards out there.

Re:Question: does this effect phpbb?

[iamdrscience]

No, PHPBB doesn't use either of the PHP XML RPC libraries that have been compromised because, well, PHPBB doesn't use XML at all.

How is this a problem?

A blog server compromise cannot possibly lead to worse content.

this is news?

[xWastedMindx]

wordpress released a fix for this on June 29. Changelog for 1.5.1.3

Wouldn't This Be Called an XML Injection Attack?

[DanielMarkham]

I know when the same technique is used to compromise web sites with SQL in the back end it's called SQL injection. I guess this would be XML Injection? Or perhaps PHP Injection and XML is only the wrapper. XML Injection sounds cooler.

New wireless technology called XMax?

Here's how

It could lead to more blogs!

Choice of words

[Valacosa]

"...major Internet security event."

A euphemism if I've ever heard one. Can I think of a better euphemism?

"Wardrobe malfunction"

Ah, there it is.

Re:How long..

[Krankheit]

A worm is not likely to be interested. Worms have a very simple nervous system (one "string"). Their motor skills are poor. Their central nervous system does not meet recommended requirements, but I am worried most that there is no keyboard compatible with worms. However, Google has developed a system to allow the pigeons they employ to use computers to rank search result relevence. A modified version could work with an earthworm.

I hear sirens. Wooo. Woooo. Woo wooo.

[dotslashdot]

The Internet Storm Center Reports that a high pressure coding flaw in PHP has created an error mass large enough to cause a rotation in sysadmin heads and has issued a red hat/flag Internet surf warning for all surfing sites.

noticed something in my webserver logs

[backslashdot]

I saw a request for phpmyadmin/index.php in one of my web server logs on July 1st around 4 AM EDT ..

About 2 and a half hours ago i saw a request for phpmyadmin/index.php in my web server logs as well.

I dont have PHP or any forums installed ..and in the couple years my web server has been up (somewhat aporadically though) i havent seen this request (just grepped the logs).

So my opinion is that this attack is in the wild. Can someone confirm?

i was hacked yesterday

[larry+bagina]

via this exploit. i was at my box (an old pentium II running gentoo, natch) when it happened. I heard the disk start thrashing and new something was wrong so i pulled the plug on it, before it could be turned into a spam-spewing zombie (or worse). If you don't have tripwire to verify nothing was trojaned, you should probably wipe your hard drive and reinstall.

This appears to be the same exploit that hackers used on cowboyneal.org a few months back.

Re:i was hacked yesterday

[DrSkwid]

sounds like you are a bit paranoid thewrre larry me old beauty

not quite got a handle on locking your box down so your web server can only write to specific directories huh, well, you might learn now.

Not running your webserver chrooted ? well, you might learn now.

Wiping your hard drive is very Windows.

Re:i was hacked yesterday

Let's think about this for a second.

Pentium II.. Gentoo.. Wiped.

Ouch. I wouldn't wanna' watch him reinstall that.

Re:i was hacked yesterday

[myov]

If a box is compromised, the only way to know you have removed everything is to wipe it and reinstall from clean media. It doesn't matter what platform.

On the insecurity of PHP blogging

[Haiku+4+U]

Use alternatives!
Why not an app called Blosxom?
It's tiny Perl scripts.

Don't want to bash PHP....

[afra242]

I really don't want to bash PHP - it seems flexible. However, after having people break into my server through phpBB and Gallery, I replaced those apps with their mod_perl equivalents, and things are working faster and more secure. Having said that, it was hard to find the Perl equivalents and even hard to find good support for it (ie. themes, etc). I'm still looking for a good Gallery replacement written in Perl.

Obviously, security issues aren't always the language but usually come from the people who write it. It just seems to me that, since PHP is more popular for writing forums, image galleries, etc, that there are a lot more careless coders out there coding in PHP.

phpBB is a good example of this. Every other week, they have some security issue.

Re:Don't want to bash PHP....

[KhaZ]

The reason that noone's hacked the Perl equivs. is that not even the hackers want to code in Perl.

(Jus' trolling. I'd write in BrainFuck over Perl.)

Re:Don't want to bash PHP....

[Saeed+al-Sahaf]

Obviously, security issues aren't always the language but usually come from the people who write it. It just seems to me that, since PHP is more popular for writing forums, image galleries, etc, that there are a lot more careless coders out there coding in PHP.

Exactly. And, this is a very important point that all the Perl / Ruby / Python / Whatever FANBOYS like to ignore.

phpBB is a good example of this. Every other week, they have some security issue.

Come on now, you know very well that's an exageration.

Re:Don't want to bash PHP....

[Mr2001]

"you need to have your files set to chmod 777 for this to work" is another pearler.

This is necessary because mod_php runs scripts as the same user who started httpd, usually "nobody", so any files you want your PHP scripts to write to has to be world-writable. The problem would go away if mod_php could just run PHP scripts as their owners, instead of as the user running httpd!

You can already install suphp to do this, but you pay a performance penalty, since it has to start a new process for each invocation.

mod_php's advantage is that it runs scripts in the httpd process, so of course they have the same permissions as the user running httpd. But it could be changed: spawn a new process for each unique user who owns a PHP script (setuid to that user), and have the main httpd process communicate to the appropriate user's child process via a local socket whenever it's time to run one of their scripts. Then you only have to spawn one process for each user, and once that's done, the scripts could run just as fast as they do now.

Re:Don't want to bash PHP....

[EvilIdler]

Thank goodness for suPHP:
http://www.suphp.org/Home.html

My host uses this, so I don't need world-readable files and directories in my
~/www/ directories for each site. The webserver may run as nobody, but the
PHP scripts run as the same user I log in as to upload the files.

Re:Don't want to bash PHP....

[Mr2001]

BTW, suphp is my favorite way to check the overall status of an HP-UX system.

# suphp
Not much, runnin' some processes. 'Sup with you?

Re:Don't want to bash PHP....

I really don't want to bash PHP - it seems flexible.

You should bash PHP. It's an awful language. I don't think I'd call it flexible. I might call Lisp flexible. Try sorting an array of objects by comparing a field from each object in PHP. Now try it in Ruby. But that's not important at the moment, after all, we all had to start somewhere.

However, after having people break into my server through phpBB and Gallery, I replaced those apps with their mod_perl equivalents

This has nothing to do with PHP itself. Your server is no more secure today than it was last week.

The problem is a simple one: PHP is popular, so it attracts a lot of programmers. I would estimate that about 80% of all programmers (open-source or otherwise) are just incompetent, so phpBB, WordPress, etc., are written VERY poorly.

phpBB is a good example of this. Every other week, they have some security issue.

Again, it has NOTHING to do with the language. Take a look at phpBB's source code. Take a look at the code that contained the security hole patched recently:

$message = str_replace('\"', '"', substr(@preg_replace('#(\>(((?>([^><]+|(?R)))*)\<) )#se', "@preg_replace('#\b("
. str_replace('\\', '\\\\', addslashes($highlight_match)) . ")\b#i', '<span style=\"color:#" . $theme['fontcolor3'] . "\"><b>\\\\
1</b></span>', '\\0')", '>' . $message . '<'), 1, -1));

phpBB is fulll of crap like that. This is what you're trusting your server security to. "Are you feeling lucky"?

Re:Don't want to bash PHP....

[Tassach]

there are a lot more careless coders out there coding in PHP.

That's exactly the issue. This isn't a PHP vulnerability. It's a poorly written script that doesn't check input properly

I'd say while it isn't exactly a PHP vulnerability it is an inherent PHP design flaw, which renders PHP dangerous (if not useless) for it's intended user community.

To make an analogy, let's look at C. The C language was invented for systems programming, and it excels in that role -- C has been the language of choice for low level hacking for 20+ years. There's a damn good reason that OS kernels and device drivers are written in C -- it gives an expert programmer near-total control of the hardware.

However, this very power is C's downfall when it's used for general application programming. In the hands of anyone other than an expert, C is dangerous because it places too much demand on the programmer to do things "the right way", rather than preventing those errors from ever happening in the first place. It's trivially easy to introduce a buffer overflow or a memory leak into a C program, because the language intentionally does not do bounds checking or garbage collection. Languages which are intended for developing applications include these features -- they intentionally introduce run-time overhead so that the programmer can concentrate his attention on the application's logic rather than working around the language's shortcomings.

Having to manually write code to check each and every user input in an application is a horribly inefficent use of programmer time, and is prone to errors of omission. The development process is FAR more efficent if the language does this kind of housekeeping for the programmer automatically and transparently. This principle is doubly true for a scripting language like PHP, which is intended to be used by people who don't have a solid software engineering background.

Why PHP?

[mcc]

It seems like there's a lot of security advisories along these lines lately and they mostly seem to revolve around PHP site engines. Why PHP? Why not perl, or python, or Ruby?

Is there something about PHP that's making these things likely as opposed to some other language (which seems unlikely, there's plenty of simple mistakes you can make just as easily in perl, i.e. poor scrubbing of regexp/sql content), or is it just that there are more inexperienced people writing PHP code out there, or is it just that PHP site engines are getting installed by more security-inexperienced people, or are the PHP exploits getting publicized more, or am I just noticing them more?

What's going on here?

Re:Why PHP?

[eddy+the+lip]

...or is it just that there are more inexperienced people writing PHP code out there...

Bingo...PHP has a very low barrier to entry. Add to that that it's mainly used in a networked environment, and you're going to have problems. You could code up this exact same problem in perl - the only difference is that by the time you knew enough to get input from the network into your script and passed to eval, you'd probably have had it beaten into you that it's a crime punishable with flogging.

There may be cultural differences at work here as well. XML-RPC is in PEAR and often recommended as a good way of implementing this kind of functionality. This isn't a bug-free guarantee, but there should be some minimal level of quality implied by that. Passing untrusted input directly to eval is gross negligence, and it sort of amazes me that no one noticed this before. I've read a lot of PHP and a lot of perl. It's easy to find crap, bug-riddled code in both. The main difference seems to be that crappy perl code isn't tolerated near so quickly. Crappy PHP code becomes a flagship application.

Re:Why PHP?

[Saeed+al-Sahaf]

...Is there something about PHP that's making these things likely as opposed to some other language...

See below.

...or is it just that there are more inexperienced people writing PHP code out there...

Yes.

...or is it just that PHP site engines are getting installed by more security-inexperienced people...

Yes.

...or are the PHP exploits getting publicized more...

Yes.

...or am I just noticing them more...

Yes.

In the wild?

[Saeed+al-Sahaf]

... I saw a request for phpmyadmin/index.php in one of my web server logs...

and...

So my opinion is that this attack is in the wild. Can someone confirm?

Probably just some script kiddie looking for a phpMyAdmin install not behind a password.

Isn't it great...

[It's+the+tripnaut!]

... that right above this article in /. is another article titled "Anatomy of a Hack" which basically describes how one can h4xx0r b0x3n?

Re:... lucky

[EvilStein]

Uh, you mean .44 Magnum, the most powerful handgun in the world. :P

Of all things to misquote, don't misquote Dirty Harry! ;)

"I know what you're thinking: "Did he fire six shots, or only five?" Well, to tell you the truth in all this excitement, I've kinda lost track myself. But, being this is a .44 Magnum, the most powerful handgun in the world, and would blow your head clean off, you've got to ask yourself one question: "Do I feel lucky?" Well, do ya punk?"

Bragging rights for Perl developers unwarranted

[timbrown]

Without being explicit, don't count your chickens if you're using Perl based CMSs. I'm aware of issues with at least one of the main Perl based CMSs which could ultimately lead to a full server compromise and am currently in talks with their developers about how to fix it. The last thing any sys admin, web developer or web site owner should do, is attempt to sit on their laurels. Yes, code will have bugs. Go forth and audit.

Lessons to be learnt?

Looking at the source code to XML-RPC library in question, to me it's raises some disturbing questions.

From a design perspective, it's really bizarre the way they've chosen to use eval() in the first place.

For a given XML-RPC request or response, they parse the XML then generate PHP code on the fly, which later get's eval'ed. Aside from the fact that using eval() should trigger all sorts of security alerts in a developers head, especially when you're building a library for hooking up remote systems, there's no need to use eval() in the first place.

You can convert data types directly from XML into a PHP data structure then make use of things like call_user_func_array() to execute a callback function as needed. This approach is taken by The Incutio XML-RPC Library for PHP, for example, and there are others to chose from.

Two further things that are disturbing about this exploit.

First looking at the diff which patched the exploit here, all that's basically changed is replacing a single quote with a double quote. That may prevent this specific exploit but the use of eval() is still there and I'm not see any further stringent checks that the incoming input is valid / safe etc. Would not be surprised if there are other ways to "inject" code here.

Second and perhaps most disturbing is the source for this library has a long history going back to Usefulinc and Edd Dumbill. Believe this and the Perl Frontier-RPC libraries were the first two Open Source XML-RPC projects released and in many ways reference implementations in a manner that parallels Apache being a reference implementation for HTTP.

This exploint has taken a very long time to spot. Looking at the main projects CVS here, with the very first revision 1.1, back in "Mon Aug 27 19:21:25 2001 UTC" (and the code is older than that going back to 1999 I believe), it looks like this specific exploit was possible then.

These days Usefulinc are doing things Gnome related - i.e. you'd assume they are real developers not PHP script kiddies. The original developer, Edd Dumbill, is no fool. In Edd's defence, believe he began development before PHP 4.0.4, somewhere with PHP 3.x, which means things like call_user_func_array() was not available and perhaps eval() was required but that should have been revised by the current maintainers of the project as PHP matured.

What's more alot of people have used this code and (hopefully) it's also had alot of experienced eyes looking at it. Those who ported it to PEAR, for example, are not beginners.

But only now, six year laters, was the exploit found. Seems like not a proud moment for Open Source.