Re: [Phpwiki-talk] XMLRPC vulnerability security advise

SourceForge Headquarters 225 Broadway Suite 1600 San Diego, CA 92101 +1 (858) 422-6466

Dear phpwiki site maintainers,

Another similar xmlrpc issue with the php version of xmlrpc came up.
Please update within the next week to the CVS version or disable it 
completely.
The phpxmlrpc library phpwiki-1.3.x from 2002/08/30 up to today
is easily exploitable.

If you are using CVS versions later than 2005-08-15 (tomorrow) or you 
are using the native PECL xmlrpc .so/.dll extension by Dan Libby you are 
on the safe side and can forget this issue. Check your phpinfo() if the 
xmlrpc extension is loaded.

If you want to disable this horrible library and are not using the above 
mentioned native extension, please remove lib/XMLRPC/xmlrpc.inc ASAP or 
rename it. xmlrpc connections will fail then.
The upcoming livesearch for myacdropdown feature will use the fast 
xmlrpc protocol, and hyperwiki requires it already, in case you don't know.

PS: This time the upstream maintainer decided not to publish the exploit 
code and to warn the maintainers beforehand, so we have some time to fix 
it. Thanks a lot Stefan Esser! Good work!

It is already fixed at the sf.net wikis.

Reini Urban schrieb:
> The phpxmlrpc library phpwiki-1.3.x from 2002/08/30 up to today is using 
> is easily exploitable. The updated version xmlrpc-1.1 from the website 
> even contains the exploit code, so it's very likely that you webserver 
> will get "rooted" in the next week if your using phpwiki-1.3.4 or later.
> 
> See http://phpxmlrpc.sourceforge.net/
> and http://www.gulftech.org/?node=research&article_id=00088-07022005
> 
> The updated xmlrpc-1.1 version doesn't work out of the box and will 
> require one more day to be fixed.
> 
> If you are using phpwiki-1.3.11_rc1 or a newer or a CVS versions later 
> than 2005-01-05 AND you are using the native PECL xmlrpc extension by 
> Dan Libby you are on the safe side and forget this issue. Check your 
> phpinfo() if the xmlrpc extension is loaded.
> phpwiki from 2005-01-05 on checks the existance and does not use the 
> exploitable phpxmlrpc library which ships with phpwiki/lib/XMLRPC.
> 
> If you are affected please remove lib/XMLRPC/xmlrpc.inc ASAP or rename it.
> 
> Note:
> It's extremely unfair from the phpxmlrpc maintainers to add the exploit 
> code to the fixed library without any grace period! Usual it is one 
> week, but one ot two days would have been enough also.
> I'm stronlgy considering removing this horribly written library from 
> phpwiki and just rely on the stable and fast PECL extension by Dan 
> Libby, which also supports SOAP.
-- 
Reini Urban
http://xarch.tu-graz.ac.at/home/rurban/
http://phpwiki.org/