Package: phpwiki Tags: security Severity: serious Just got this through the PHPWiki list. I'm going to pull xmlrpc.inc as suggested. I pulled the package from Sarge because I didn't think it was releasable, so there's no need to go through a full DSA cycle. Just keeping the security team in the loop.
----- Forwarded message from Reini Urban <[EMAIL PROTECTED]> ----- From: Reini Urban <[EMAIL PROTECTED]> To: phpwiki <[EMAIL PROTECTED]> Date: Sun, 03 Jul 2005 09:04:06 +0200 Subject: XMLRPC vulnerability security advise The phpxmlrpc library phpwiki-1.3.x from 2002/08/30 up to today is using is easily exploitable. The updated version xmlrpc-1.1 from the website even contains the exploit code, so it's very likely that you webserver will get "rooted" in the next week if your using phpwiki-1.3.4 or later. See http://phpxmlrpc.sourceforge.net/ and http://www.gulftech.org/?node=research&article_id=00088-07022005 The updated xmlrpc-1.1 version doesn't work out of the box and will require one more day to be fixed. If you are using phpwiki-1.3.11_rc1 or a newer or a CVS versions later than 2005-01-05 AND you are using the native PECL xmlrpc extension by Dan Libby you are on the safe side and forget this issue. Check your phpinfo() if the xmlrpc extension is loaded. phpwiki from 2005-01-05 on checks the existance and does not use the exploitable phpxmlrpc library which ships with phpwiki/lib/XMLRPC. If you are affected please remove lib/XMLRPC/xmlrpc.inc ASAP or rename it. Note: It's extremely unfair from the phpxmlrpc maintainers to add the exploit code to the fixed library without any grace period! Usual it is one week, but one ot two days would have been enough also. I'm stronlgy considering removing this horribly written library from phpwiki and just rely on the stable and fast PECL extension by Dan Libby, which also supports SOAP. -- Reini Urban http://phpwiki.org/ ------------------------------------------------------- SF.Net email is sponsored by: Discover Easy Linux Migration Strategies from IBM. Find simple to follow Roadmaps, straightforward articles, informative Webcasts and more! Get everything you need to get up to speed, fast. http://ads.osdn.com/?ad_id=7477&alloc_id=16492&op=click -- Phpwiki-talk mailing list [EMAIL PROTECTED] https://lists.sourceforge.net/lists/listinfo/phpwiki-talk ----- End forwarded message -----
signature.asc
Description: Digital signature
