To clarify for all the confused people WordPress is not affected by the recent XML-RPC problem that lots of other apps were. We use different, more secure libraries for XML-RPC. The problem was discovered by the same guy though, I imagine he was auditing our code and found totally unrelated, which we fixed in our recent release. Of course you wouldn’t guess that from the title, “PHP Blogging Apps Vulnerable to XML-RPC Exploits.” Let’s go down the list: PostNuke – content management; WordPress – blogging; Drupal – content/community management; Serendipity – blogging; phpAdsNew – ad serving; phpWiki – wiki (not blogging); phpMyFAQ – FAQ management. If it bleeds it leads, right? 😉
11 thoughts on “XML-RPC Vulnerability”
Thanks for the confirmation Matt. I was pretty sure 220.127.116.11 addressed that. The Hardened-PHP patch keeps all my apps safe from that bug though.
Does it really fix everything XML-RPC ? I read some files where released afterwards. Or were there added in 18.104.22.168 during an update of the archive (should we then re-install 22.214.171.124) ?
The recently published XML-RPC vulns will not work on current versions of WordPress, but it seems that WordPress did use PHPXMLRPC at one time, and I think that is where the confusion comes in to play. Maybe the developers could tell us when they quit using PHPXMLRPC in favor of their own XML-RPC?
I think we switched when 1.5 was released.
It is not a nice act to remove my comment and replace it with a GulfTech one. I commented on this issue first.
Unfortunately this crappy blog, does strange things if you write somethint like
WordPress < 1.5 – if you replace < with the lower than character…
Ohh I just see… When you write comments here you must fluently speak htmlentities…
Ionic, for some reason the comment came through as just “WordPress” with no other text, I assumed it was a mistake and deleted it. I do block comments with numeric entities lower than a certain number. If you want to email me your original comment I’ll be happy to make sure it gets posted.
I bet the HTML cleaner (KSES) thought your comment after “WordPress” was one giant invalid HTML tag and stripped it.
Nahh forget it… it seems that you do something like striptags and when I wrote WordPress < with a real < char the rest was truncated. (strip_tags)
When I write &l;lt; i get a nice < instead….
So you need to write htmlentities 😉
I believe you, now can you please talk to the folks over at blogsome.com that are running your WordPress groupware and let them know it’s safe? They just stopped all access to xlmrpc.php by third party apps like jetblog, and marsedit, etc… just manual blog entries. Maybe you can set them straight over there?