Slashdot Mirror

← Back to Stories (view on slashdot.org)

PHP Blogging Apps Open to XML-RPC Exploits

Posted by Zonk on from the batten-down-the-hatches dept.

miller60 writes "A bunch of popular PHP-based blogging and content management apps are vulnerable to a security hole in the PHP libraries handling XML-RPC, which could allow a server compromise. Affected apps include Wordpress, Drupal, PostNuke, Serendipity, phpAdsNew, phpWiki and many more. The presence of the security hole in a large number of programs is among the factors leading the Internet Storm Center to warn that the environment is ripe for a major Internet security event."

23 of 166 comments (clear)

  1. How to patch PHP/PEAR by Anonymous Coward · · Score: 5, Informative

    From the command line:

    pear clear-cache
    pear upgrade XML_RPC

    1. Re:How to patch PHP/PEAR by ScytheBlade1 · · Score: 3, Informative

      Well that was easy.

      server bin # ./pear upgrade XML_RPC
      downloading XML_RPC-1.3.1.tgz ...
      Starting to download XML_RPC-1.3.1.tgz (25,310 bytes)
      .........done: 25,310 bytes
      upgrade ok: XML_RPC 1.3.1


  2. Makes me happy by orange+haired+boy · · Score: 3, Interesting

    That I use Movable Type which won't be effected by this. Makes me sad that it's in PHP...since I love PHP. You can't have everything.

    --
    Blog: orange haired boy
    1. Re:Makes me happy by BoneFlower · · Score: 4, Funny

      Well, Perl tends to be invulnerable to PHP flaws in the vast majority of situations.

    2. Re:Makes me happy by Sepodati · · Score: 5, Insightful

      Makes me sad that it's in PHP...since I love PHP
      This isn't a PHP vulnerability. It's another poorly written, widely used application that's vulernable because the developer fails to check external input. The vulnerability is in a PHP script that someone has written. It could have been written in any langauge; the fault is on the developer, not PHP.

      ---John Holmes...

    3. Re:Makes me happy by Sepodati · · Score: 5, Informative

      I read the vulnerability which links to the sourceforge.net page that has the source code of this "library". It's a PHP script that you include() into other PHP scripts to use the functions/methods defined. The developer of this PHP script used eval() in an incorrect manner.

      Unless you have another article that shows the PHP XML-RPC Functions to be vulnerabile, this is not a PHP vulnerability.

      ---John Holmes...

    4. Re:Makes me happy by 1110110001 · · Score: 3, Interesting

      Pear is part of PHP. You could use PHP without Pear but in most cases you would install both.

      What's sad is that a default lib makes such a bad mistake. It uses eval on a string that's generated from user input. It doesn't matter how good you check the user-input, there's always one way for the user to bypass them. Someone needs to review the pear-code for such stupid mistakes.

      b4n

  3. Question: does this effect phpbb? by RLiegh · · Score: 3, Informative

    God knows there's a ton of free (and probably poorly maintained) php boards out there.

    1. Re:Question: does this effect phpbb? by iamdrscience · · Score: 4, Informative

      No, PHPBB doesn't use either of the PHP XML RPC libraries that have been compromised because, well, PHPBB doesn't use XML at all.

  4. How is this a problem? by Anonymous Coward · · Score: 5, Funny

    A blog server compromise cannot possibly lead to worse content.

  5. this is news? by xWastedMindx · · Score: 5, Informative

    wordpress released a fix for this on June 29. Changelog for 1.5.1.3

  6. Here's how by Anonymous Coward · · Score: 3, Funny

    It could lead to more blogs!

  7. Choice of words by Valacosa · · Score: 5, Funny

    "...major Internet security event."

    A euphemism if I've ever heard one. Can I think of a better euphemism?

    "Wardrobe malfunction"

    Ah, there it is.

    --
    "Live as if you'll die tomorrow." Ridiculous. You could die later today.
  8. I hear sirens. Wooo. Woooo. Woo wooo. by dotslashdot · · Score: 5, Funny

    The Internet Storm Center Reports that a high pressure coding flaw in PHP has created an error mass large enough to cause a rotation in sysadmin heads and has issued a red hat/flag Internet surf warning for all surfing sites.

  9. Don't want to bash PHP.... by afra242 · · Score: 3, Interesting

    I really don't want to bash PHP - it seems flexible. However, after having people break into my server through phpBB and Gallery, I replaced those apps with their mod_perl equivalents, and things are working faster and more secure. Having said that, it was hard to find the Perl equivalents and even hard to find good support for it (ie. themes, etc). I'm still looking for a good Gallery replacement written in Perl.

    Obviously, security issues aren't always the language but usually come from the people who write it. It just seems to me that, since PHP is more popular for writing forums, image galleries, etc, that there are a lot more careless coders out there coding in PHP.

    phpBB is a good example of this. Every other week, they have some security issue.

    1. Re:Don't want to bash PHP.... by Saeed+al-Sahaf · · Score: 3, Insightful
      Obviously, security issues aren't always the language but usually come from the people who write it. It just seems to me that, since PHP is more popular for writing forums, image galleries, etc, that there are a lot more careless coders out there coding in PHP.

      Exactly. And, this is a very important point that all the Perl / Ruby / Python / Whatever FANBOYS like to ignore.

      phpBB is a good example of this. Every other week, they have some security issue.

      Come on now, you know very well that's an exageration.

      --
      "Who are in control, they are not in control of anything - they don't even control themselves!" - Glen Beck
    2. Re:Don't want to bash PHP.... by EvilIdler · · Score: 4, Informative

      Thank goodness for suPHP:
      http://www.suphp.org/Home.html

      My host uses this, so I don't need world-readable files and directories in my
      ~/www/ directories for each site. The webserver may run as nobody, but the
      PHP scripts run as the same user I log in as to upload the files.

    3. Re:Don't want to bash PHP.... by Mr2001 · · Score: 5, Funny

      BTW, suphp is my favorite way to check the overall status of an HP-UX system.

      # suphp
      Not much, runnin' some processes. 'Sup with you?

      --
      Visual IRC: Fast. Powerful. Free.
    4. Re:Don't want to bash PHP.... by Tassach · · Score: 3, Insightful
      there are a lot more careless coders out there coding in PHP.
      That's exactly the issue. This isn't a PHP vulnerability. It's a poorly written script that doesn't check input properly
      I'd say while it isn't exactly a PHP vulnerability it is an inherent PHP design flaw, which renders PHP dangerous (if not useless) for it's intended user community.

      To make an analogy, let's look at C. The C language was invented for systems programming, and it excels in that role -- C has been the language of choice for low level hacking for 20+ years. There's a damn good reason that OS kernels and device drivers are written in C -- it gives an expert programmer near-total control of the hardware.

      However, this very power is C's downfall when it's used for general application programming. In the hands of anyone other than an expert, C is dangerous because it places too much demand on the programmer to do things "the right way", rather than preventing those errors from ever happening in the first place. It's trivially easy to introduce a buffer overflow or a memory leak into a C program, because the language intentionally does not do bounds checking or garbage collection. Languages which are intended for developing applications include these features -- they intentionally introduce run-time overhead so that the programmer can concentrate his attention on the application's logic rather than working around the language's shortcomings.

      Having to manually write code to check each and every user input in an application is a horribly inefficent use of programmer time, and is prone to errors of omission. The development process is FAR more efficent if the language does this kind of housekeeping for the programmer automatically and transparently. This principle is doubly true for a scripting language like PHP, which is intended to be used by people who don't have a solid software engineering background.

      --
      Why is it that the proponents of "one nation under God" are so eager to get rid of "liberty and justice for all"?
  10. Re:i was hacked yesterday by DrSkwid · · Score: 3, Insightful

    sounds like you are a bit paranoid thewrre larry me old beauty

    not quite got a handle on locking your box down so your web server can only write to specific directories huh, well, you might learn now.

    Not running your webserver chrooted ? well, you might learn now.

    Wiping your hard drive is very Windows.

    --
    There are places where the networks are not touching,and there are places where they are-Boeing's Lori Gunter
  11. Re:Why PHP? by eddy+the+lip · · Score: 4, Insightful
    ...or is it just that there are more inexperienced people writing PHP code out there...

    Bingo...PHP has a very low barrier to entry. Add to that that it's mainly used in a networked environment, and you're going to have problems. You could code up this exact same problem in perl - the only difference is that by the time you knew enough to get input from the network into your script and passed to eval, you'd probably have had it beaten into you that it's a crime punishable with flogging.

    There may be cultural differences at work here as well. XML-RPC is in PEAR and often recommended as a good way of implementing this kind of functionality. This isn't a bug-free guarantee, but there should be some minimal level of quality implied by that. Passing untrusted input directly to eval is gross negligence, and it sort of amazes me that no one noticed this before. I've read a lot of PHP and a lot of perl. It's easy to find crap, bug-riddled code in both. The main difference seems to be that crappy perl code isn't tolerated near so quickly. Crappy PHP code becomes a flagship application.

    --

    This is the voice of World Control. I bring you Peace.

  12. Re:Why PHP? by Saeed+al-Sahaf · · Score: 3, Insightful
    ...Is there something about PHP that's making these things likely as opposed to some other language...

    See below.

    ...or is it just that there are more inexperienced people writing PHP code out there...

    Yes.

    ...or is it just that PHP site engines are getting installed by more security-inexperienced people...

    Yes.

    ...or are the PHP exploits getting publicized more...

    Yes.

    ...or am I just noticing them more...

    Yes.

    --
    "Who are in control, they are not in control of anything - they don't even control themselves!" - Glen Beck
  13. Bragging rights for Perl developers unwarranted by timbrown · · Score: 4, Insightful

    Without being explicit, don't count your chickens if you're using Perl based CMSs. I'm aware of issues with at least one of the main Perl based CMSs which could ultimately lead to a full server compromise and am currently in talks with their developers about how to fix it. The last thing any sys admin, web developer or web site owner should do, is attempt to sit on their laurels. Yes, code will have bugs. Go forth and audit.

    --
    Tim Brown