XML RPC Exploit

**cyon** · 07-04-2005 07:49 PM

There is a critical exploit for xml rpc for php. (see http://www.gulftech.org/?node=resear...00088-07022005 for details)

I just reported the bug in bugzilla. please vote on it, if you want to have it fixed asap: http://bugzilla.cpanel.net/show_bug.cgi?id=2768

edit: on WHT is a discussion about it: http://www.webhostingtalk.com/showth...hreadid=421520

**randomuser** · 07-04-2005 09:21 PM

26 views and 3 votes (I just voted). It will only take a minute of your time, please vote.

**rpmws** · 07-05-2005 12:10 AM

looks like on 7/05/05 a new buildapache is listed on layer1 .. but i don't see a new version of php listed in the whm script yet.

**haze** · 07-05-2005 01:10 AM

Keep in mind people that PHP have NOT updated a stable release yet, only an RC2. The change to Buildapache was most likely the updating of the pear module, though I can not confirm this.

http://www.php.net/ <-- install it manually if you must, but keep in mind it is RC2. I'm sure the more people that QA it, the faster it will be released.

**jamesbond** · 07-05-2005 03:58 AM

Remember that also the scripts using embedded xml-rpc classes need to be updated, like Wordpress:

http://codex.wordpress.org/Changelog/1.5.1.3

**sheetaljo** · 07-05-2005 10:23 AM

any updates from cPanel for a fix to this?

**chirpy** · 07-05-2005 10:45 AM

As haze has said, cPanel are unlikely to release a fix until there's a stable PHP release for it. If you want a specific response from them you should contact them following the details on their site.

**denisdekat09** · 07-05-2005 12:12 PM

WHT forums thread on sam esubject here: http://www.webhostingtalk.com/showth...67#post3212267

darksoul suggested this for mod_sec rules:

SecFilter "xmlrpc.php"

**jamesbond** · 07-05-2005 12:24 PM

From php.net

An easily exploitable security issue was discovered in PEAR XML_RPC <= 1.3.0. We recommend that users of this PEAR class immediately upgrade to the latest version with:

pear upgrade XML_RPC

The same security problem exists in many other XML RPC implementations, please check if the installed applications that you use might have a similar problem.

**cyon** · 07-05-2005 02:18 PM

Originally Posted by chirpy

As haze has said, cPanel are unlikely to release a fix until there's a stable PHP release for it. If you want a specific response from them you should contact them following the details on their site.

In my eyes it's much more dangerous to wait for a stable version than to upgrade to an unstable one.

What's more worse, beeing attacked through the exploit or having some issues with an unstable version?

**chirpy** · 07-05-2005 03:36 PM

I don't disagree. However, that has been cPanel's stance in the past and the recent issues after doing exactly what you suggest with proftpd (and all the problems that caused) probably reinforces that viewpoint.

**jamesbond** · 07-05-2005 04:20 PM

Some more info about vulnerable cms/blog software:

http://forum.hardened-php.net/viewtopic.php?id=9

**trparky** · 07-05-2005 04:25 PM

Does Apache/PHP need to be recompiled to fix this or is this a PHP Pear Module issue?

**jamesbond** · 07-05-2005 05:09 PM

Originally Posted by trparky

Does Apache/PHP need to be recompiled to fix this or is this a PHP Pear Module issue?

Did you bother reading all the posts ? For now upgrade pear xml rpc and all the xmlrpc files used by blog/cms software. Do a search for *xml*rpc* on your servers and you'll have an idea

The final step is to wait for the next stable php release, and this is only necessary if you have compiled php with --xml-rpc

**trparky** · 07-05-2005 05:31 PM

I did that, and yes, a few of the servers we run have the compile switch "--xml-rpc". Wonderful, that is great!

When will PHP come out with a fix for this?

I was getting confused because there are two XML-RPC-like modules. One Pear and one built into PHP. Are all PHP implementations vulnerable to this attack?

LinkBack

Thread Tools

XML RPC Exploit

Horde Groupware SyncML and rpc.php

Get in the cpanel codeigniter using xml-rpc

xml-rpc

rpc.statd