wordpress-pg-devel

[WP-pg-devel] xmlrpc.php exploits?

[Bill M. <bi...@bf...>]

I've been trying to figure out if the PHP xmlrpc.php exploits affect 
wordpress-pg (release version):

   http://phpxmlrpc.sourceforge.net/#security

 From what I've been able to infer from postings on the wordpress site 
and lists, it looks like yes.  I found a patch someone made for another 
modified WordPress, but the diff is > 2K, and doesn't appear directly 
relevant.  Apparently 'eval' is the problem and there are three calls 
to eval in the file that would need dealing with.  WordPress 1.5 deals 
with this by using a different library, but there's no native Postgres 
support.

Others reading these archives might also want to know the main 
developer (based on the archives) of wordpress-pg isn't a user anymore:

   http://www.carrel.org/articles/2005/07/21/switched-to-typo

and has some problems with the Wordpress crew's methodology.  Which is 
good to know when evaluating options.  Also it looks like Typo is a 
nice alternative that doesn't suffer from PHP security problems.

If anyone can confirm these conjectures to be true, it's probably wise 
to pull the current release, or at least plaster it with warnings.

-Bill
-----
Bill McGonigle, Owner           Work: 603.448.4440
BFC Computing, LLC              Home: 603.448.1668
bi...@bf...           Mobile: 603.252.2606
http://www.bfccomputing.com/    Pager: 603.442.1833
Jabber: flo...@gm...      Text: bil...@bf...
RSS: http://blog.bfccomputing.com/rss

Re: [WP-pg-devel] xmlrpc.php exploits?

[William A. C. <wil...@ca...>]

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

On Sep 20, 2005, at 7:35 PM, Bill McGonigle wrote:

> I've been trying to figure out if the PHP xmlrpc.php exploits  
> affect wordpress-pg (release version):
>
>   http://phpxmlrpc.sourceforge.net/#security
>
> From what I've been able to infer from postings on the wordpress  
> site and lists, it looks like yes.  I found a patch someone made  
> for another modified WordPress, but the diff is > 2K, and doesn't  
> appear directly relevant.  Apparently 'eval' is the problem and  
> there are three calls to eval in the file that would need dealing  
> with.  WordPress 1.5 deals with this by using a different library,  
> but there's no native Postgres support.

It probably affects WordPress-pg.  I'm sure there are other lingering  
issues that were shared with the WordPress-MySQL code as well.

> Others reading these archives might also want to know the main  
> developer (based on the archives) of wordpress-pg isn't a user  
> anymore:
>
>   http://www.carrel.org/articles/2005/07/21/switched-to-typo
>
> and has some problems with the Wordpress crew's methodology.  Which  
> is good to know when evaluating options.  Also it looks like Typo  
> is a nice alternative that doesn't suffer from PHP security problems.

Actually Keenan was (is?) the main developer, I just showed up after  
he had done the brunt of the work and helped merge changes in from a  
few later versions.  As I outlined in the linked article above I  
moved on to work on something else, but I don't want that to poison  
anyone's desire to work on this should their heart be more into it  
than mine was.

> If anyone can confirm these conjectures to be true, it's probably  
> wise to pull the current release, or at least plaster it with  
> warnings.

True enough.  I've added a warning note on the main project page.

- - wac

-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.1 (Darwin)

iEYEARECAAYFAkMw35gACgkQyWl2oUGFZkyf6ACgokBrJs0JJkMfl1nE0XerHm/d
CYwAnjRQYlK4+scUSEnbxbVatuFORTpa
=GNzf
-----END PGP SIGNATURE-----