Open Source Blogs, Wikis at Risk From New Flaw

A highly critical vulnerability has been found in XML-Remote Procedure Call , which impacts many open source applications that use the vital software component.

The flaw could allow an attacker to take control of a vulnerable Web server.

Open source projects and Linux vendors alike have issued advisories and updates and the SANS Internet Storm Center has warned that the flaw could trigger an epidemic.

XML-RPC is set of implementations based on a specification originally drafted by Dave Winer, who’s credited with creating RSS . XML-RPC is a cross-platform spec that allows for software to make procedure calls using XML for encoding and HTTP for transport.

The vulnerability has been found in PHP implementations of XML-RPC from both the PHPXMLRPC and PEAR (The PHP Extension and Application Repository download sites, which are included in “dozens” of applications written in PHP, according to the advisory.

The XML-RPC implementations are at a “very high risk” from the PHP code execution vulnerability according to security firm GulfTech Research, which reported the flaw late last week.

GulfTech Research said “the vulnerability is the result of unsanatized data being passed directly into an eval() call in the parseRequest() function of the XMLRPC server.”

GulfTech’s advisory goes on to note that can attacker could easily execute exploit PHP code on the target server by creating an XML file that includes single quotes in order to escape into the eval() call.

PEAR and PHPXMLRPC have issued updates to fix the issue. Various blog, Wikis and Content Management Systems (CMS) that utilize the XML-RPC libraries have issued advisories to their users to update as well. Among the many affected programs are Serendipity, phpAdsNew, phpWiki, PostNuke, WordPress, Drupal, phpMyFAQ, b2evolution, TikiWiki. phpGroupWare and BLOG:CMS.

Among Linux vendors, Gentoo and Mandriva issued advisories on the issue.

Over the weekend, the SANS Internet Storm Center warned that the XML-RPC flaw combined with the unpatched Microsoft IE flaw could lead to an Internet “storm”.

News Around the Web