Comments on: XML-RPC Vulnerability

By: StreetComputing » WordPress comments and numeric entity codes

StreetComputing » WordPress comments and numeric entity codes — Thu, 15 Sep 2005 08:42:13 +0000

[...] In fact, the only near-official word I could find on the matter was this comment on Matt Mullenweg’s (WP lead developer) weblog, in which he states: I do block comments with numeric entities lower than a certain number. [...]

By: Tim Verpoorten

Tim Verpoorten — Thu, 07 Jul 2005 04:22:29 +0000

Matt.
I believe you, now can you please talk to the folks over at blogsome.com that are running your WordPress groupware and let them know it’s safe? They just stopped all access to xlmrpc.php by third party apps like jetblog, and marsedit, etc… just manual blog entries. Maybe you can set them straight over there?
Thanks
Tim

By: ionic

ionic — Wed, 06 Jul 2005 20:09:49 +0000

Nahh forget it… it seems that you do something like striptags and when I wrote WordPress < with a real < char the rest was truncated. (strip_tags)

When I write &l;lt; i get a nice < instead….

So you need to write htmlentities

By: Matt

Matt — Wed, 06 Jul 2005 20:09:13 +0000

I bet the HTML cleaner (KSES) thought your comment after “WordPress” was one giant invalid HTML tag and stripped it.

By: Matt

Matt — Wed, 06 Jul 2005 20:07:23 +0000

Ionic, for some reason the comment came through as just “WordPress” with no other text, I assumed it was a mistake and deleted it. I do block comments with numeric entities lower than a certain number. If you want to email me your original comment I’ll be happy to make sure it gets posted.

By: ionic

ionic — Wed, 06 Jul 2005 20:02:56 +0000

Ohh I just see… When you write comments here you must fluently speak htmlentities…

By: ionic

ionic — Wed, 06 Jul 2005 20:01:03 +0000

It is not a nice act to remove my comment and replace it with a GulfTech one. I commented on this issue first.

Unfortunately this crappy blog, does strange things if you write somethint like

WordPress < 1.5 – if you replace < with the lower than character…

By: Matt

Matt — Wed, 06 Jul 2005 17:17:36 +0000

I think we switched when 1.5 was released.

By: GulfTech

GulfTech — Wed, 06 Jul 2005 17:07:00 +0000

The recently published XML-RPC vulns will not work on current versions of WordPress, but it seems that WordPress did use PHPXMLRPC at one time, and I think that is where the confusion comes in to play. Maybe the developers could tell us when they quit using PHPXMLRPC in favor of their own XML-RPC?

By: Xavier

Xavier — Wed, 06 Jul 2005 08:42:11 +0000

Does it really fix everything XML-RPC ? I read some files where released afterwards. Or were there added in 1.5.1.3 during an update of the archive (should we then re-install 1.5.1.3) ?

By: tyler

tyler — Tue, 05 Jul 2005 20:58:23 +0000

Thanks for the confirmation Matt. I was pretty sure 1.5.1.3 addressed that. The Hardened-PHP patch keeps all my apps safe from that bug though.