Many popular PHP-based blogging, wiki and content management programs can be exploited through a security hole in the way PHP programs handle XML commands. The flaw allows an attacker to compromise a web server, and is found in programs including PostNuke, WordPress, Drupal, Serendipity, phpAdsNew, phpWiki and phpMyFAQ, among others.

The flaw affects the XML-RPC function, which has many uses in web applications, including “ping” update notifications for RSS feeds. PHP libraries that allow applications to exchange XML data using remote procedure calls(RPC) fail to fully check incoming data for malicious commands. The affected libraries, including PHPXMLRPC and Pear XML-RPC, are included in many interactive applications written in PHP.

Thankfully Wordpress has already responded to that.

Recent Entries

• memcache.php flushes servers
• memcache.php can delete keys now
• memcache.php is now part of pecl/memcache
• memcache.php goes PECL
• memcache.php stats like apc.php
• oci_bind_by_name maxlength is not so optional
• Is Sun going to buy PHP too?(PHP Quebec 2008)
• PHP APC apc_shm_create error on CLI
• Facebook’s Buggy Spam Detection
• Is it Firefox or Zend Debugger? Cookie Standards

You can follow any responses to this entry through the RSS 2.0 feed. You can skip to the end and leave a response. Pinging is currently not allowed.