Become a fan of Slashdot on Facebook

 


Forgot your password?
Close
typodupeerror
×
The Internet Security PHP Programming

PHP Blogging Apps Open to XML-RPC Exploits 166

Posted by Zonk from the batten-down-the-hatches dept.
miller60 writes "A bunch of popular PHP-based blogging and content management apps are vulnerable to a security hole in the PHP libraries handling XML-RPC, which could allow a server compromise. Affected apps include Wordpress, Drupal, PostNuke, Serendipity, phpAdsNew, phpWiki and many more. The presence of the security hole in a large number of programs is among the factors leading the Internet Storm Center to warn that the environment is ripe for a major Internet security event."
This discussion has been archived. No new comments can be posted.

PHP Blogging Apps Open to XML-RPC Exploits More

PHP Blogging Apps Open to XML-RPC Exploits

Comments Filter:

  • Makes me happy (Score:3, Interesting)

    by orange haired boy ( 889758 ) * on Monday July 04, 2005 @06:17PM (#12981616) Homepage
    That I use Movable Type which won't be effected by this. Makes me sad that it's in PHP...since I love PHP. You can't have everything.

  • Wouldn't This Be Called an XML Injection Attack? (Score:3, Interesting)

    by DanielMarkham ( 765899 ) on Monday July 04, 2005 @06:22PM (#12981635) Homepage
    I know when the same technique is used to compromise web sites with SQL in the back end it's called SQL injection. [unixwiz.net] I guess this would be XML Injection? Or perhaps PHP Injection and XML is only the wrapper. XML Injection sounds cooler.

    New wireless technology called XMax? [whattofix.com]

  • noticed something in my webserver logs (Score:2, Interesting)

    by backslashdot ( 95548 ) on Monday July 04, 2005 @06:28PM (#12981671)
    I saw a request for phpmyadmin/index.php in one of my web server logs on July 1st around 4 AM EDT ..

    About 2 and a half hours ago i saw a request for phpmyadmin/index.php in my web server logs as well.

    I dont have PHP or any forums installed ..and in the couple years my web server has been up (somewhat aporadically though) i havent seen this request (just grepped the logs).

    So my opinion is that this attack is in the wild. Can someone confirm?

  • Don't want to bash PHP.... (Score:4, Interesting)

    by afra242 ( 465406 ) on Monday July 04, 2005 @06:35PM (#12981712)
    I really don't want to bash PHP - it seems flexible. However, after having people break into my server through phpBB and Gallery, I replaced those apps with their mod_perl equivalents, and things are working faster and more secure. Having said that, it was hard to find the Perl equivalents and even hard to find good support for it (ie. themes, etc). I'm still looking for a good Gallery replacement written in Perl.

    Obviously, security issues aren't always the language but usually come from the people who write it. It just seems to me that, since PHP is more popular for writing forums, image galleries, etc, that there are a lot more careless coders out there coding in PHP.

    phpBB is a good example of this. Every other week, they have some security issue.

  • Re:Don't want to bash PHP.... (Score:2, Interesting)

    by Anonymous Coward on Monday July 04, 2005 @08:04PM (#12982075)

    I really don't want to bash PHP - it seems flexible.

    You should bash PHP. It's an awful language. I don't think I'd call it flexible. I might call Lisp flexible. Try sorting an array of objects by comparing a field from each object in PHP. Now try it in Ruby. But that's not important at the moment, after all, we all had to start somewhere.

    However, after having people break into my server through phpBB and Gallery, I replaced those apps with their mod_perl equivalents

    This has nothing to do with PHP itself. Your server is no more secure today than it was last week.

    The problem is a simple one: PHP is popular, so it attracts a lot of programmers. I would estimate that about 80% of all programmers (open-source or otherwise) are just incompetent, so phpBB, WordPress, etc., are written VERY poorly.

    phpBB is a good example of this. Every other week, they have some security issue.

    Again, it has NOTHING to do with the language. Take a look at phpBB's source code. Take a look at the code that contained the security hole patched recently:

    $message = str_replace('\"', '"', substr(@preg_replace('#(\>(((?>([^><]+|(?R)))*)\<) )#se', "@preg_replace('#\b("
    . str_replace('\\', '\\\\', addslashes($highlight_match)) . ")\b#i', '<span style=\"color:#" . $theme['fontcolor3'] . "\"><b>\\\\
    1</b></span>', '\\0')", '>' . $message . '<'), 1, -1));

    phpBB is fulll of crap like that. This is what you're trusting your server security to. "Are you feeling lucky"?

  • Re:Makes me happy (Score:3, Interesting)

    by 1110110001 ( 569602 ) <(slashdot-0904) (at) (nedt.at)> on Monday July 04, 2005 @08:50PM (#12982238)
    Pear is part of PHP. You could use PHP without Pear but in most cases you would install both.

    What's sad is that a default lib makes such a bad mistake. It uses eval on a string that's generated from user input. It doesn't matter how good you check the user-input, there's always one way for the user to bypass them. Someone needs to review the pear-code for such stupid mistakes.

    b4n

Slashdot Top Deals

"I've seen it. It's rubbish." -- Marvin the Paranoid Android

Close