WordPress.org

Ready to get started?Download WordPress

Forums

PHP Blogging Apps Open to XML-RPC Exploits (21 posts)

  1. kmtcn
    Member
    Posted 9 years ago #

    http://news.netcraft.com/archives/2005/07/04/php_blogging_apps_vulnerable_to_xmlrpc_exploits.html
    "Many popular PHP-based blogging, wiki and content management programs can be exploited through a security hole in the way PHP programs handle XML commands. The flaw allows an attacker to compromise a web server, and is found in programs including PostNuke, WordPress, Drupal, Serendipity, phpAdsNew, phpWiki and phpMyFAQ, among others."

    What are WP users on shared servers supposed to do? "Disabling XML-RPC features is the recommended workaround" - How to do?

    If you control the server, try this:

    pear clear-cache
    pear upgrade XML_RPC

  2. error
    Member
    Posted 9 years ago #

    This was fixed in version 1.5.1.3.

  3. astrashe
    Member
    Posted 9 years ago #

    Wow, that was easy.

    Thanks.

  4. kmtcn
    Member
    Posted 9 years ago #

    And if we're stuck at 1.5.1? What to do in the mean time?

  5. RustIndy
    Member
    Posted 9 years ago #

    Either remove the xmlrpc.php file if you have access to it, or send an email to your ISP informing them that a serious (and potentially severe) security problem has been identified and a patch is available.

    Of note, this security issue is now public, and worms have been seen in the wild. If you haven't updated to 1.5.1.3 yet, do it before you go to bed tonite.

  6. The upgrade to v1.5.1.3 from v1.5.1 is relatively painless:

    1. Backup your WordPress database
    2. Backup your files.
    3. Download WordPress
    4. Delete /wp-admin/
    5. Delete /wp-includes/
    6. Delete all the wordpress files in the same directory as wp-rss2.php EXCEPT wp-config.php
    7. Upload the new ones
    8. Run http://example.com/wp-admin/upgrade.php

  7. kmtcn
    Member
    Posted 9 years ago #

    The upgrade to v1.5.1.3 from v1.5.1 is relatively painless

    For anyone that hasn't modified ANY WP files, or isntalled ANY plugins, this may be true.

    Please try to remember that, and please try to avoid such blanket statements as 'install is painless'. For those that have shown initiative and made their site their own, installs and upgrades are never trivial.

    Using my post about how to deal with a security question as an opportunity to lecture on the ease of installs, when it only applies to 'JohnnyStockUser' isn't all that helpful :)

    I thought you walked away from the forums just because of this type of 'noise'....? :)

    I don't have access to FTP to upload/update any files on my site for another month. I can't change permissions or delete or rename. I can't contact an admin to take any action on my behalf.

    What can I do via the admin pages to protect myself if my site is stuck at 1.5.1?

    If the answer is 'nada', then say so, please.

    Just spare me the 'updates' are easy responses...I know all about that daydream :)

  8. kas
    Member
    Posted 9 years ago #

    Does anybody know if 1.2.x installations vulnerable?

  9. Firas
    Member
    Posted 9 years ago #

    kmtcn, actually, the upgrade steps above are exactly the same, however many plugins you've installed or templates you've edited.

    If you don't have ftp access, see if you can open the xmlrpc.php file in the inbuilt editor and empty it?

  10. error
    Member
    Posted 9 years ago #

    I don't have access to FTP to upload/update any files on my site for another month. I can't change permissions or delete or rename. I can't contact an admin to take any action on my behalf.

    At that point you get a different web host.

  11. Just spare me the 'updates' are easy responses...I know all about that daydream

    Please accept my apologies for trying to help, it won't happen again.

  12. Michael Bishop

    Posted 9 years ago #

    It should be added that you should NOT delete the wp-contents folder, unless you are using the default theme with no modifications and no plugins installed.
    IMO, that was not clear in the earlier instructions.

  13. angsuman
    Member
    Posted 9 years ago #

    @kmtcn
    MacManX was just trying to be helpful. I think your post was rude and uncalled for. He had no way of knowing your "special" situation. And he doesn't gain anything by promoting easy installation of WordPress.

    If you are a "special" user with customizations then you should ideally create a patch from your version to 1.5.1.3 by looking at the change lists and apply it to your sites like the patch I provide for upgrading WordPress from 1.5.1.2 to 1.5.1.3.

    In your very special case (no ftp access etc.) use the inbuilt editor to upgrade the relevant files or change your hosting provider as root said.

  14. aprilia
    Member
    Posted 9 years ago #

    macmanx - You the man! For non-techy guys like me, I appreciated the simple steps you outlined. I upgraded from 1.5.1.1 w/o any problems.

    Thanks.

  15. smartytron
    Member
    Posted 9 years ago #

    i have not upgraded to 1.5.x.x.x.x

    i have 1.2.1, and no xmlrpc.php file, tho i do have class-xmlrpc.php and class-xmrpcs.php files in wp-includes dir.

    do these need to be deleted? or is there something else that needs to be done. (beside upgrading to 1.5.x.x.x.x.x.x ;)

    thanks,
    m

  16. angsuman
    Member
    Posted 9 years ago #

    > do these need to be deleted?
    No. But that addresses only one loophole. There are others.

    There are several security vulnerabilities. IMHO it is strategically important to upgrade to 1.5.1.3.

  17. Jammn
    Member
    Posted 9 years ago #

    I don't understand why WordPress upgrades are only provided as a zip/tgz of the entire thing. Upgrades could be made significantly smaller and easier if incremental patches were provided, especially for security releases. You could have upgrade.php run the patch for those without shell access.

    Those with a heavily modified installation would first need to take a diff -ur of their files against the stock WordPress of their current version, reverse apply it (or just reinstall the stock), then apply the upgrade patch, then reapply their modification patch. It shouldn't be rocket science to do most of that automatically too, even down to fetching the full tgz of the current version as required. The system as it stands is needlessly painful.

    As a start, I've made some patches for the latest upgrade and the one before. If you have shell access (and it's a unix box) you can apply them by copying the patch file to your wordpress root, cd there, and type patch -p1 <wordpress-xxx-to-xxx.patch

    Both patches applied cleanly on my system, but your mileage may vary and no warranty, so I strongly advise you take backups before doing this.

  18. skippy
    Member
    Posted 9 years ago #

    As I said in another thread, diffs and patches are far more complicated for the bulk of WordPress users. The time it takes to bundle "update only" archives is not the issue -- it's a matter of support. By having one download, it makes it super easy for all of volunteer support providers to talk to users of all skill levels. It makes it easy for new users to follow-along in support discussions about what they need to do.

    People who understand diffs can look at the changelog and determine what they need to do.

    People who do not understand diffs are likely not modifying core files, so a full re-install is no more challenging than an incremental upgrade.

  19. masquerade
    Member
    Posted 9 years ago #

    @ the original thread

    WordPress and PHP's vunerabilities are unreleated. The pear commands given will in no way affect WordPress. The article above is entirely incorrect in listing WordPress as a vunerable software because of the way that PHP handles XMLRPC.

    WordPress uses its own builtin XMLRPC server, and it is just coincidence that these vunerabilities were discovered at the same time.

  20. kickass
    Member
    Posted 9 years ago #

    Okay, so I have 1.5. I did some sort of "security upgrade" not all that long ago where I changed a line in template-functions-category.php in the wp-includes directory. I think that corresponded roughly to 1.5.1? (file changed 6-7-2005) How do I handle this? Do I follow the above instructions? Or do I have to do more?

  21. skippy
    Member
    Posted 9 years ago #

    kickass: if you have not modified any core files (beyond the application of a previous security fix), the easiest solution is to do a full upgrade. Upgrading WordPress has all the instructions.

Topic Closed

This topic has been closed to new replies.

About this Topic

Tags

No tags yet.