WordPress.org

Support

Support » How-To and Troubleshooting » PHP Blogging Apps Open to XML-RPC Exploits

PHP Blogging Apps Open to XML-RPC Exploits

  • http://news.netcraft.com/archives/2005/07/04/php_blogging_apps_vulnerable_to_xmlrpc_exploits.html
    “Many popular PHP-based blogging, wiki and content management programs can be exploited through a security hole in the way PHP programs handle XML commands. The flaw allows an attacker to compromise a web server, and is found in programs including PostNuke, WordPress, Drupal, Serendipity, phpAdsNew, phpWiki and phpMyFAQ, among others.”

    What are WP users on shared servers supposed to do? “Disabling XML-RPC features is the recommended workaround” – How to do?

    If you control the server, try this:

    pear clear-cache
    pear upgrade XML_RPC

Viewing 15 replies - 1 through 15 (of 20 total)
  • This was fixed in version 1.5.1.3.

    Wow, that was easy.

    Thanks.

    And if we’re stuck at 1.5.1? What to do in the mean time?

    Either remove the xmlrpc.php file if you have access to it, or send an email to your ISP informing them that a serious (and potentially severe) security problem has been identified and a patch is available.

    Of note, this security issue is now public, and worms have been seen in the wild. If you haven’t updated to 1.5.1.3 yet, do it before you go to bed tonite.

    Moderator James Huff

    @macmanx

    Support Team Rep.

    The upgrade to v1.5.1.3 from v1.5.1 is relatively painless:

    1. Backup your WordPress database
    2. Backup your files.
    3. Download WordPress
    4. Delete /wp-admin/
    5. Delete /wp-includes/
    6. Delete all the wordpress files in the same directory as wp-rss2.php EXCEPT wp-config.php
    7. Upload the new ones
    8. Run http://example.com/wp-admin/upgrade.php

    The upgrade to v1.5.1.3 from v1.5.1 is relatively painless

    For anyone that hasn’t modified ANY WP files, or isntalled ANY plugins, this may be true.

    Please try to remember that, and please try to avoid such blanket statements as ‘install is painless’. For those that have shown initiative and made their site their own, installs and upgrades are never trivial.

    Using my post about how to deal with a security question as an opportunity to lecture on the ease of installs, when it only applies to ‘JohnnyStockUser’ isn’t all that helpful 🙂

    I thought you walked away from the forums just because of this type of ‘noise’….? 🙂

    I don’t have access to FTP to upload/update any files on my site for another month. I can’t change permissions or delete or rename. I can’t contact an admin to take any action on my behalf.

    What can I do via the admin pages to protect myself if my site is stuck at 1.5.1?

    If the answer is ‘nada’, then say so, please.

    Just spare me the ‘updates’ are easy responses…I know all about that daydream 🙂

    Does anybody know if 1.2.x installations vulnerable?

    kmtcn, actually, the upgrade steps above are exactly the same, however many plugins you’ve installed or templates you’ve edited.

    If you don’t have ftp access, see if you can open the xmlrpc.php file in the inbuilt editor and empty it?

    I don’t have access to FTP to upload/update any files on my site for another month. I can’t change permissions or delete or rename. I can’t contact an admin to take any action on my behalf.

    At that point you get a different web host.

    Moderator James Huff

    @macmanx

    Support Team Rep.

    Just spare me the ‘updates’ are easy responses…I know all about that daydream

    Please accept my apologies for trying to help, it won’t happen again.

    It should be added that you should NOT delete the wp-contents folder, unless you are using the default theme with no modifications and no plugins installed.
    IMO, that was not clear in the earlier instructions.

    @kmtcn
    MacManX was just trying to be helpful. I think your post was rude and uncalled for. He had no way of knowing your “special” situation. And he doesn’t gain anything by promoting easy installation of WordPress.

    If you are a “special” user with customizations then you should ideally create a patch from your version to 1.5.1.3 by looking at the change lists and apply it to your sites like the patch I provide for upgrading WordPress from 1.5.1.2 to 1.5.1.3.

    In your very special case (no ftp access etc.) use the inbuilt editor to upgrade the relevant files or change your hosting provider as root said.

    macmanx – You the man! For non-techy guys like me, I appreciated the simple steps you outlined. I upgraded from 1.5.1.1 w/o any problems.

    Thanks.

    i have not upgraded to 1.5.x.x.x.x

    i have 1.2.1, and no xmlrpc.php file, tho i do have class-xmlrpc.php and class-xmrpcs.php files in wp-includes dir.

    do these need to be deleted? or is there something else that needs to be done. (beside upgrading to 1.5.x.x.x.x.x.x 😉

    thanks,
    m

    > do these need to be deleted?
    No. But that addresses only one loophole. There are others.

    There are several security vulnerabilities. IMHO it is strategically important to upgrade to 1.5.1.3.

Viewing 15 replies - 1 through 15 (of 20 total)
  • The topic ‘PHP Blogging Apps Open to XML-RPC Exploits’ is closed to new replies.