Re: [Phpwiki-talk] XMLRPC vulnerability security advise

SourceForge Headquarters 225 Broadway Suite 1600 San Diego, CA 92101 +1 (858) 422-6466

Thus spake Reini Urban:
> 
> If you are using phpwiki-1.3.11_rc1 or a newer or a CVS versions later 
> than 2005-01-05 AND you are using the native PECL xmlrpc extension by 
> Dan Libby you are on the safe side and forget this issue. Check your 
> phpinfo() if the xmlrpc extension is loaded.
> phpwiki from 2005-01-05 on checks the existance and does not use the 
> exploitable phpxmlrpc library which ships with phpwiki/lib/XMLRPC.

If you're using Fedora Core 4 (like I am), then you're using Dan Libby's
native PECL xmlrpc extention.

> Note:
> It's extremely unfair from the phpxmlrpc maintainers to add the exploit 
> code to the fixed library without any grace period! Usual it is one 
> week, but one ot two days would have been enough also.
> I'm stronlgy considering removing this horribly written library from 
> phpwiki and just rely on the stable and fast PECL extension by Dan 
> Libby, which also supports SOAP.

That's an awful way to handle an exploit, not giving the good guys a head
start. If phpxmlrpc can be replaced easily, I'd say replace it.