|
|
|||||||
| Chit Chat Public Talk about any thing you want! This forum is public. |
 |
|
|
Thread Tools | Search this Thread | Display Modes |
|
#1
07-04-2005, 11:54 AM
|
||||||||||||
|
||||||||||||
|
Security Alert on CMS Scripts
Quoting from Netcraft....
Many popular PHP-based blogging, wiki and content management programs can be exploited through a security hole in the way PHP programs handle XML commands. The flaw allows an attacker to compromise a web server, and is found in programs including PostNuke, WordPress, Drupal, Serendipity, phpAdsNew, phpWiki and phpMyFAQ, among others. The flaw affects the XML-RPC function, which has many uses in web applications, including "ping" update notifications for RSS feeds. PHP libraries that allow applications to exchange XML data using remote procedure calls(RPC) fail to fully check incoming data for malicious commands. The affected libraries, including PHPXMLRPC and Pear XML-RPC, are included in many interactive applications written in PHP. The XML-RPC flaw was discovered by James Bercegay of GulfTech Security Research. Bercegay found that the libraries are "vulnerable to a very high risk remote php code execution vulnerability that may allow for an attacker to compromise a vulnerable webserver ... By creating an XML file that uses single quotes to escape into the eval() call an attacker can easily execute php code on the target server." Updated copies of the libraries are now available, and immediate upgrades are recommended. The nature of the flaw poses a dilemma for site operators on shared hosting services, who may run affected applications on their sites but not have the ability to update the server's PHP installation with the secure libraries. Disabling XML-RPC features is the recommended workaround. Last edited by sivvaa : 07-04-2005 at 11:57 AM. 
|
|
#2
07-04-2005, 12:20 PM
|
||||||||||||
|
||||||||||||
|
Hi all,
I have just updated Wordpress to the latest release. They have fixed this security isse ---------------------------------------------------------------- http://wordpress.org/development/ We would like to announce that WordPress 1.5.1.3 is now released as we continue the availablity of a highly stable and extremely popular branch based on the 1.5 Strayhorn codebase. Development has moved on to some exciting new features for the next major release, but an important security issue was brought to our attention which required an update for our users. The problem is not yet public but you should update your blog as soon as possible to 1.5.1.3. If you are unable to do upgrade in the short-term you may protect yourself by deleting the xmlrpc.php file from your WordPress directory. --------------------------------------------------- FYI Rgds
|
|
| Currently Active Users Viewing This Thread: 1 (0 members and 1 guests) | |
| Thread Tools | Search this Thread |
| Display Modes | |
|
|
Similar Threads
|
||||
| Thread | Thread Starter | Forum | Replies | Last Post |
| Alert: Becareful at ATM's | bigdave | Chit Chat Public | 7 | 04-19-2004 06:33 PM |
| Security Vulnerabity Alert | admin | News and Announcements | 5 | 01-27-2003 08:29 AM |
Linear Mode
