From: Bill M. <bi...@bf...> - 2005-09-21 02:36:11
|
I've been trying to figure out if the PHP xmlrpc.php exploits affect wordpress-pg (release version): http://phpxmlrpc.sourceforge.net/#security From what I've been able to infer from postings on the wordpress site and lists, it looks like yes. I found a patch someone made for another modified WordPress, but the diff is > 2K, and doesn't appear directly relevant. Apparently 'eval' is the problem and there are three calls to eval in the file that would need dealing with. WordPress 1.5 deals with this by using a different library, but there's no native Postgres support. Others reading these archives might also want to know the main developer (based on the archives) of wordpress-pg isn't a user anymore: http://www.carrel.org/articles/2005/07/21/switched-to-typo and has some problems with the Wordpress crew's methodology. Which is good to know when evaluating options. Also it looks like Typo is a nice alternative that doesn't suffer from PHP security problems. If anyone can confirm these conjectures to be true, it's probably wise to pull the current release, or at least plaster it with warnings. -Bill ----- Bill McGonigle, Owner Work: 603.448.4440 BFC Computing, LLC Home: 603.448.1668 bi...@bf... Mobile: 603.252.2606 http://www.bfccomputing.com/ Pager: 603.442.1833 Jabber: flo...@gm... Text: bil...@bf... RSS: http://blog.bfccomputing.com/rss |