Thus spake Reini Urban:
>
> If you are using phpwiki-1.3.11_rc1 or a newer or a CVS versions later
> than 2005-01-05 AND you are using the native PECL xmlrpc extension by
> Dan Libby you are on the safe side and forget this issue. Check your
> phpinfo() if the xmlrpc extension is loaded.
> phpwiki from 2005-01-05 on checks the existance and does not use the
> exploitable phpxmlrpc library which ships with phpwiki/lib/XMLRPC.
If you're using Fedora Core 4 (like I am), then you're using Dan Libby's
native PECL xmlrpc extention.
> Note:
> It's extremely unfair from the phpxmlrpc maintainers to add the exploit
> code to the fixed library without any grace period! Usual it is one
> week, but one ot two days would have been enough also.
> I'm stronlgy considering removing this horribly written library from
> phpwiki and just rely on the stable and fast PECL extension by Dan
> Libby, which also supports SOAP.
That's an awful way to handle an exploit, not giving the good guys a head
start. If phpxmlrpc can be replaced easily, I'd say replace it.
|
