phpwiki-talk

[Phpwiki-talk] XMLRPC vulnerability security advise

[Reini U. <ru...@x-...>]

The phpxmlrpc library phpwiki-1.3.x from 2002/08/30 up to today is using 
is easily exploitable. The updated version xmlrpc-1.1 from the website 
even contains the exploit code, so it's very likely that you webserver 
will get "rooted" in the next week if your using phpwiki-1.3.4 or later.

See http://phpxmlrpc.sourceforge.net/
and http://www.gulftech.org/?node=research&article_id=00088-07022005

The updated xmlrpc-1.1 version doesn't work out of the box and will 
require one more day to be fixed.

If you are using phpwiki-1.3.11_rc1 or a newer or a CVS versions later 
than 2005-01-05 AND you are using the native PECL xmlrpc extension by 
Dan Libby you are on the safe side and forget this issue. Check your 
phpinfo() if the xmlrpc extension is loaded.
phpwiki from 2005-01-05 on checks the existance and does not use the 
exploitable phpxmlrpc library which ships with phpwiki/lib/XMLRPC.

If you are affected please remove lib/XMLRPC/xmlrpc.inc ASAP or rename it.

Note:
It's extremely unfair from the phpxmlrpc maintainers to add the exploit 
code to the fixed library without any grace period! Usual it is one 
week, but one ot two days would have been enough also.
I'm stronlgy considering removing this horribly written library from 
phpwiki and just rely on the stable and fast PECL extension by Dan 
Libby, which also supports SOAP.
-- 
Reini Urban
http://phpwiki.org/

Re: [Phpwiki-talk] XMLRPC vulnerability security advise

[Mario S. <ma...@er...>]

Ah, NIH syndrome sometimes pays out *g*. I've been using a homegrown
xmlrpc library in my pet projects, mainly because I was unhappy with
the strange API of Edd Dumbills library.

http://upgradephp.berlios.de/

It's slightly bloated, because it engages a wannabe XML parser
if there is not native support in PHP. Additionally it also takes
advantage of the native XML-RPC extension (PECL) if it's present
(like the current PhpWiki xmlrpc interface does). And it definitely
contains no stupid code involving eval(), but it doesn't care about
method fingerprints or restricts parameter types like most other
implementations do.
But maybe you want to give it a try anyhow (easier to use, more
HTTP compliant).

mario

Re: [Phpwiki-talk] XMLRPC vulnerability security advise

[Reini U. <ru...@x-...>]

> Ah, NIH syndrome sometimes pays out *g*. I've been using a homegrown
> xmlrpc library in my pet projects, mainly because I was unhappy with the
> strange API of Edd Dumbills library.
>
> http://upgradephp.berlios.de/

Looks fine to me. I'll give it a try.
I don't know if we need method fingerprints and restricted parameter
types, guess not.

> It's slightly bloated, because it engages a wannabe XML parser
> if there is not native support in PHP. Additionally it also takes
> advantage of the native XML-RPC extension (PECL) if it's present
> (like the current PhpWiki xmlrpc interface does). And it definitely
> contains no stupid code involving eval(), but it doesn't care about
> method fingerprints or restricts parameter types like most other
> implementations do.
> But maybe you want to give it a try anyhow (easier to use, more
> HTTP compliant).
-- 
Reini Urban
http://phpwiki.org/   http://xarch.tu-graz.ac.at/home/rurban/

Re: [Phpwiki-talk] XMLRPC vulnerability security advise

[Reini U. <ru...@x-...>]

Dear phpwiki site maintainers,

Another similar xmlrpc issue with the php version of xmlrpc came up.
Please update within the next week to the CVS version or disable it 
completely.
The phpxmlrpc library phpwiki-1.3.x from 2002/08/30 up to today
is easily exploitable.

If you are using CVS versions later than 2005-08-15 (tomorrow) or you 
are using the native PECL xmlrpc .so/.dll extension by Dan Libby you are 
on the safe side and can forget this issue. Check your phpinfo() if the 
xmlrpc extension is loaded.

If you want to disable this horrible library and are not using the above 
mentioned native extension, please remove lib/XMLRPC/xmlrpc.inc ASAP or 
rename it. xmlrpc connections will fail then.
The upcoming livesearch for myacdropdown feature will use the fast 
xmlrpc protocol, and hyperwiki requires it already, in case you don't know.

PS: This time the upstream maintainer decided not to publish the exploit 
code and to warn the maintainers beforehand, so we have some time to fix 
it. Thanks a lot Stefan Esser! Good work!

It is already fixed at the sf.net wikis.

Reini Urban schrieb:
> The phpxmlrpc library phpwiki-1.3.x from 2002/08/30 up to today is using 
> is easily exploitable. The updated version xmlrpc-1.1 from the website 
> even contains the exploit code, so it's very likely that you webserver 
> will get "rooted" in the next week if your using phpwiki-1.3.4 or later.
> 
> See http://phpxmlrpc.sourceforge.net/
> and http://www.gulftech.org/?node=research&article_id=00088-07022005
> 
> The updated xmlrpc-1.1 version doesn't work out of the box and will 
> require one more day to be fixed.
> 
> If you are using phpwiki-1.3.11_rc1 or a newer or a CVS versions later 
> than 2005-01-05 AND you are using the native PECL xmlrpc extension by 
> Dan Libby you are on the safe side and forget this issue. Check your 
> phpinfo() if the xmlrpc extension is loaded.
> phpwiki from 2005-01-05 on checks the existance and does not use the 
> exploitable phpxmlrpc library which ships with phpwiki/lib/XMLRPC.
> 
> If you are affected please remove lib/XMLRPC/xmlrpc.inc ASAP or rename it.
> 
> Note:
> It's extremely unfair from the phpxmlrpc maintainers to add the exploit 
> code to the fixed library without any grace period! Usual it is one 
> week, but one ot two days would have been enough also.
> I'm stronlgy considering removing this horribly written library from 
> phpwiki and just rely on the stable and fast PECL extension by Dan 
> Libby, which also supports SOAP.
-- 
Reini Urban
http://xarch.tu-graz.ac.at/home/rurban/
http://phpwiki.org/