Slashdot Mirror

← Back to Stories (view on slashdot.org)

PHP Blogging Apps Open to XML-RPC Exploits

Posted by Zonk on from the batten-down-the-hatches dept.

miller60 writes "A bunch of popular PHP-based blogging and content management apps are vulnerable to a security hole in the PHP libraries handling XML-RPC, which could allow a server compromise. Affected apps include Wordpress, Drupal, PostNuke, Serendipity, phpAdsNew, phpWiki and many more. The presence of the security hole in a large number of programs is among the factors leading the Internet Storm Center to warn that the environment is ripe for a major Internet security event."

8 of 166 comments (clear)

  1. How to patch PHP/PEAR by Anonymous Coward · · Score: 5, Informative

    From the command line:

    pear clear-cache
    pear upgrade XML_RPC

  2. How is this a problem? by Anonymous Coward · · Score: 5, Funny

    A blog server compromise cannot possibly lead to worse content.

  3. this is news? by xWastedMindx · · Score: 5, Informative

    wordpress released a fix for this on June 29. Changelog for 1.5.1.3

  4. Choice of words by Valacosa · · Score: 5, Funny

    "...major Internet security event."

    A euphemism if I've ever heard one. Can I think of a better euphemism?

    "Wardrobe malfunction"

    Ah, there it is.

    --
    "Live as if you'll die tomorrow." Ridiculous. You could die later today.
  5. I hear sirens. Wooo. Woooo. Woo wooo. by dotslashdot · · Score: 5, Funny

    The Internet Storm Center Reports that a high pressure coding flaw in PHP has created an error mass large enough to cause a rotation in sysadmin heads and has issued a red hat/flag Internet surf warning for all surfing sites.

  6. Re:Makes me happy by Sepodati · · Score: 5, Insightful

    Makes me sad that it's in PHP...since I love PHP
    This isn't a PHP vulnerability. It's another poorly written, widely used application that's vulernable because the developer fails to check external input. The vulnerability is in a PHP script that someone has written. It could have been written in any langauge; the fault is on the developer, not PHP.

    ---John Holmes...

  7. Re:Don't want to bash PHP.... by Mr2001 · · Score: 5, Funny

    BTW, suphp is my favorite way to check the overall status of an HP-UX system.

    # suphp
    Not much, runnin' some processes. 'Sup with you?

    --
    Visual IRC: Fast. Powerful. Free.
  8. Re:Makes me happy by Sepodati · · Score: 5, Informative

    I read the vulnerability which links to the sourceforge.net page that has the source code of this "library". It's a PHP script that you include() into other PHP scripts to use the functions/methods defined. The developer of this PHP script used eval() in an incorrect manner.

    Unless you have another article that shows the PHP XML-RPC Functions to be vulnerabile, this is not a PHP vulnerability.

    ---John Holmes...