phpwiki XMLRPC vulnerability security advise

The phpxmlrpc library phpwiki-1.3.x from 2002/08/30 up to today is using is easily exploitable. The updated version xmlrpc-1.1 from the website even contains the exploit code, so it's very likely that you webserver will get "rooted" in the next week if your using phpwiki-1.3.4 or later.


The updated xmlrpc-1.1 version doesn't work out of the box and will require one more day to be fixed.

If you are using phpwiki-1.3.11_rc1 or a newer or a CVS versions later than 2005-01-05 AND you are using the native PECL xmlrpc extension by Dan Libby you are on the safe side and forget this issue. Check your phpinfo() if the xmlrpc extension is loaded.
phpwiki from 2005-01-05 on checks the existance and does not use the exploitable phpxmlrpc library which ships with phpwiki/lib/XMLRPC.

If you are affected please remove lib/XMLRPC/ ASAP or rename it.

It's extremely unfair from the phpxmlrpc maintainers to add the exploit code to the fixed library without any grace period! Usual it is one week, but one ot two days would have been enough also.
I'm stronlgy considering removing this horribly written library from phpwiki and just rely on the stable and fast PECL extension by Dan Libby, which also supports SOAP.
Reini Urban

Posted by Reini Urban 2005-07-06

Log in to post a comment.