The Community Forums

Interact with an entire community of cPanel & WHM users!
  1. This site uses cookies. By continuing to use this site, you are agreeing to our use of cookies. Learn More.

XML RPC Exploit

Discussion in 'General Discussion' started by cyon, Jul 4, 2005.

  1. cyon

    cyon Well-Known Member
    PartnerNOC

    Joined:
    Jan 15, 2003
    Messages:
    320
    Likes Received:
    0
    Trophy Points:
    16
    #1 cyon, Jul 4, 2005
    Last edited: Jul 4, 2005
  2. randomuser

    randomuser Well-Known Member

    Joined:
    Jun 25, 2005
    Messages:
    147
    Likes Received:
    0
    Trophy Points:
    16
    26 views and 3 votes (I just voted). It will only take a minute of your time, please vote.
     
  3. rpmws

    rpmws Well-Known Member

    Joined:
    Aug 14, 2001
    Messages:
    1,824
    Likes Received:
    5
    Trophy Points:
    38
    Location:
    back woods of NC, USA
    looks like on 7/05/05 a new buildapache is listed on layer1 .. but i don't see a new version of php listed in the whm script yet.
     
  4. haze

    haze Well-Known Member

    Joined:
    Dec 21, 2001
    Messages:
    1,550
    Likes Received:
    3
    Trophy Points:
    38
    Keep in mind people that PHP have NOT updated a stable release yet, only an RC2. The change to Buildapache was most likely the updating of the pear module, though I can not confirm this.

    http://www.php.net/ <-- install it manually if you must, but keep in mind it is RC2. I'm sure the more people that QA it, the faster it will be released.
     
  5. jamesbond

    jamesbond Well-Known Member

    Joined:
    Oct 9, 2002
    Messages:
    738
    Likes Received:
    1
    Trophy Points:
    18
  6. sheetaljo

    sheetaljo Registered

    Joined:
    Dec 11, 2002
    Messages:
    3
    Likes Received:
    0
    Trophy Points:
    1
    any updates from cPanel for a fix to this?
     
  7. chirpy

    chirpy Well-Known Member

    Joined:
    Jun 15, 2002
    Messages:
    13,475
    Likes Received:
    20
    Trophy Points:
    38
    Location:
    Go on, have a guess
    As haze has said, cPanel are unlikely to release a fix until there's a stable PHP release for it. If you want a specific response from them you should contact them following the details on their site.
     
  8. denisdekat09

    denisdekat09 Well-Known Member

    Joined:
    Mar 2, 2002
    Messages:
    265
    Likes Received:
    0
    Trophy Points:
    16
    Location:
    San Francisco
  9. jamesbond

    jamesbond Well-Known Member

    Joined:
    Oct 9, 2002
    Messages:
    738
    Likes Received:
    1
    Trophy Points:
    18
    From php.net

     
  10. cyon

    cyon Well-Known Member
    PartnerNOC

    Joined:
    Jan 15, 2003
    Messages:
    320
    Likes Received:
    0
    Trophy Points:
    16
    In my eyes it's much more dangerous to wait for a stable version than to upgrade to an unstable one.

    What's more worse, beeing attacked through the exploit or having some issues with an unstable version?
     
    #10 cyon, Jul 5, 2005
    Last edited: Jul 5, 2005
  11. chirpy

    chirpy Well-Known Member

    Joined:
    Jun 15, 2002
    Messages:
    13,475
    Likes Received:
    20
    Trophy Points:
    38
    Location:
    Go on, have a guess
    I don't disagree. However, that has been cPanel's stance in the past and the recent issues after doing exactly what you suggest with proftpd (and all the problems that caused) probably reinforces that viewpoint.
     
  12. jamesbond

    jamesbond Well-Known Member

    Joined:
    Oct 9, 2002
    Messages:
    738
    Likes Received:
    1
    Trophy Points:
    18
  13. trparky

    trparky Well-Known Member

    Joined:
    Apr 23, 2003
    Messages:
    184
    Likes Received:
    1
    Trophy Points:
    0
    Does Apache/PHP need to be recompiled to fix this or is this a PHP Pear Module issue?
     
  14. jamesbond

    jamesbond Well-Known Member

    Joined:
    Oct 9, 2002
    Messages:
    738
    Likes Received:
    1
    Trophy Points:
    18
    Did you bother reading all the posts ? For now upgrade pear xml rpc and all the xmlrpc files used by blog/cms software. Do a search for *xml*rpc* on your servers and you'll have an idea :)

    The final step is to wait for the next stable php release, and this is only necessary if you have compiled php with --xml-rpc :)
     
  15. trparky

    trparky Well-Known Member

    Joined:
    Apr 23, 2003
    Messages:
    184
    Likes Received:
    1
    Trophy Points:
    0
    I did that, and yes, a few of the servers we run have the compile switch "--xml-rpc". Wonderful, that is great!

    When will PHP come out with a fix for this?

    I was getting confused because there are two XML-RPC-like modules. One Pear and one built into PHP. Are all PHP implementations vulnerable to this attack?
     
    #15 trparky, Jul 5, 2005
    Last edited: Jul 5, 2005
  16. jamesbond

    jamesbond Well-Known Member

    Joined:
    Oct 9, 2002
    Messages:
    738
    Likes Received:
    1
    Trophy Points:
    18
    Not sure what you mean with "all PHP implementations", I think it has been clearly explained by now :)

    From php.net:
     
  17. trparky

    trparky Well-Known Member

    Joined:
    Apr 23, 2003
    Messages:
    184
    Likes Received:
    1
    Trophy Points:
    0
    What do you mean by final release? Don't tell me that the next release of the 4.3 branch is going to be the last!
     
  18. rpmws

    rpmws Well-Known Member

    Joined:
    Aug 14, 2001
    Messages:
    1,824
    Likes Received:
    5
    Trophy Points:
    38
    Location:
    back woods of NC, USA
    don't worry .. it will be out soon ... soon after 4 million worms surface hacking all our boxes.
     
  19. chirpy

    chirpy Well-Known Member

    Joined:
    Jun 15, 2002
    Messages:
    13,475
    Likes Received:
    20
    Trophy Points:
    38
    Location:
    Go on, have a guess
    I would hope not. Final release usually just means the last release of a particular version update after it has gone through alpha > beta > release candidiate x > final.
     
  20. brianoz

    brianoz Well-Known Member

    Joined:
    Mar 13, 2004
    Messages:
    1,146
    Likes Received:
    6
    Trophy Points:
    38
    Location:
    Melbourne, Australia
    cPanel Access Level:
    Root Administrator
    Despite comments above, I don't think the PHP binary itself is vulnerable so you can all stop beating on cpanel for an easyapache fix. According to the sitepoint blog below (sitepoint is pretty reliable for these things) the problem is with two XML RPC libraries that are commonly used (as PHP often isn't compiled with --xml-rpc). This makes more complete sense when you realize that the developers used the "eval()" statement to parse incoming data; "eval()" is unlikely to be used in builtin code.

    See this in support of my contention:
    http://www.sitepoint.com/blog-post-view.php?id=278063
    - this is a good, clear technical statement of the affected libraries from a PHP guru

    I've started a thread in the Fantastico forum:
    http://netenberg.com/forum/viewtopic.php?p=14188#14188

    Does anyone have any hard data to backup claims that the PHP binary itself is vulnerable?

    If not, it's only a cleanup for applications that's required.

    Some brave soul needs to write a script that can go through the system and upgrade old xmlrpc libraries (or patch them) so we can feel safe. Something that could scan the system regularly (in case outdated software is installed) would be ideal. Any takers? :)
     
Loading...

Share This Page