1
giba
[SECURITY] - PHP Blogging Apps Vulnerable to XML-RPC Exploits
  • 2005/7/5 13:20

  • giba

  • Just can't stay away

  • Posts: 638

  • Since: 2003/4/26


Many popular PHP-based blogging, wiki and content management programs can be exploited through a security hole in the way PHP programs handle XML commands. The flaw allows an attacker to compromise a web server, and is found in programs including PostNuke, WordPress, Drupal, Serendipity, phpAdsNew, phpWiki and phpMyFAQ, among others.

The flaw affects the XML-RPC function, which has many uses in web applications, including "ping" update notifications for RSS feeds. PHP libraries that allow applications to exchange XML data using remote procedure calls(RPC) fail to fully check incoming data for malicious commands. The affected libraries, including PHPXMLRPC and Pear XML-RPC, are included in many interactive applications written in PHP.

The XML-RPC flaw was discovered by James Bercegay of GulfTech Security Research. Bercegay found that the libraries are "vulnerable to a very high risk remote php code execution vulnerability that may allow for an attacker to compromise a vulnerable webserver ... By creating an XML file that uses single quotes to escape into the eval() call an attacker can easily execute php code on the target server."

Updated copies of the libraries are now available, and immediate upgrades are recommended. The nature of the flaw poses a dilemma for site operators on shared hosting services, who may run affected applications on their sites but not have the ability to update the server's PHP installation with the secure libraries. Disabling XML-RPC features is the recommended workaround.
Posted by Rich Miller at July 4, 2005 02:55 PM | Subscribe

Original Link:
PHP Blogging Apps Vulnerable to XML-RPC Exploits

This is one problem for XOOPS ?

Thanks for opnions and comments.

[Editado by Giba one question]

2
Mithrandir
Re: [SECURITY] - PHP Blogging Apps Vulnerable to XML-RPC Exploits

No. This was the reason why we have sent out 2.0.13.
"When you can flatten entire cities at a whim, a tendency towards quiet reflection and seeing-things-from-the-other-fellow's-point-of-view is seldom necessary."

Cusix Software

3
giba
Re: [SOLVED] - PHP Blogging Apps Vulnerable to XML-RPC Exploits
  • 2005/7/5 16:00

  • giba

  • Just can't stay away

  • Posts: 638

  • Since: 2003/4/26


Perfect

Thanks Mith.

Login

Who's Online

186 user(s) are online (152 user(s) are browsing Support Forums)


Members: 0


Guests: 186


more...

Donat-O-Meter

Stats
Goal: $100.00
Due Date: Apr 30
Gross Amount: $0.00
Net Balance: $0.00
Left to go: $100.00
Make donations with PayPal!

Latest GitHub Commits