PHP as a language is not vulnerable. Lots of PHP based blogging and cms software installations are currently vulnerable because they use a widely used phpxmlrpc library which has a remote script execution vulnerability. WP 1.5.1.2 and earlier versions are vulnerable. Additionally WordPress 1.5.1.2 and earlier versions has several other vulnerabilities too like cross-site scripting, sql injection etc.
Note that WordPress does not use the PHPXMLRPC library.
Ryan Boren:
Not relevant to WP. We don’t use the php libraries. Ours is a different but similar XMLRPC exploit. There was ours, the php one, and the PEAR one all at the same time. Ours was unique to us whereas the php and PEAR ones affected lots of projects.
At the core the problem was the same – not sanitizing the query string parameteres (arguments to xmlrpc.php).
Thread Starter
kguy
(@kguy)
Thank You so much! WordPress is one of the best web-based software and it should be always like this, should rock the web!
regards 😉
And the above is why I’m scared to death to try to write anything in PHP. Because I don’t have enough sense to close doors behind me, so to speak! The above is probably also a really good reason it’s not much fun to be a web host right now!
Look at secunia. There are now tons of critical security defects in wide ranging PHP products. makes you wonder isn’t it?
I said before php as a language is not vulnerable. But many of its libraries are. Simplicity comes at a price.
