Re: [WP-pg-devel] xmlrpc.php exploits?

SourceForge Headquarters 1320 Columbia Street Suite 310 San Diego, CA 92101 +1 (858) 422-6466

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

On Sep 20, 2005, at 7:35 PM, Bill McGonigle wrote:

> I've been trying to figure out if the PHP xmlrpc.php exploits  
> affect wordpress-pg (release version):
>
>   http://phpxmlrpc.sourceforge.net/#security
>
> From what I've been able to infer from postings on the wordpress  
> site and lists, it looks like yes.  I found a patch someone made  
> for another modified WordPress, but the diff is > 2K, and doesn't  
> appear directly relevant.  Apparently 'eval' is the problem and  
> there are three calls to eval in the file that would need dealing  
> with.  WordPress 1.5 deals with this by using a different library,  
> but there's no native Postgres support.

It probably affects WordPress-pg.  I'm sure there are other lingering  
issues that were shared with the WordPress-MySQL code as well.

> Others reading these archives might also want to know the main  
> developer (based on the archives) of wordpress-pg isn't a user  
> anymore:
>
>   http://www.carrel.org/articles/2005/07/21/switched-to-typo
>
> and has some problems with the Wordpress crew's methodology.  Which  
> is good to know when evaluating options.  Also it looks like Typo  
> is a nice alternative that doesn't suffer from PHP security problems.

Actually Keenan was (is?) the main developer, I just showed up after  
he had done the brunt of the work and helped merge changes in from a  
few later versions.  As I outlined in the linked article above I  
moved on to work on something else, but I don't want that to poison  
anyone's desire to work on this should their heart be more into it  
than mine was.

> If anyone can confirm these conjectures to be true, it's probably  
> wise to pull the current release, or at least plaster it with  
> warnings.

True enough.  I've added a warning note on the main project page.

- - wac

-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.1 (Darwin)

iEYEARECAAYFAkMw35gACgkQyWl2oUGFZkyf6ACgokBrJs0JJkMfl1nE0XerHm/d
CYwAnjRQYlK4+scUSEnbxbVatuFORTpa
=GNzf
-----END PGP SIGNATURE-----