The Impending Storm

The Internet Storm Center is warning that the internet environment is ripe for a major security event. The ISC diary warns of the impending storm. If said storm does come to pass, many sites will be vulnerable, but not this one. The problems arises in PHP’s xml-rpc functions. WordPress makes heavy use of these functions for ping/trackbacks and updating RSS feeds.

Netcraft has a pretty detailed account of the flaw. I first saw this yesterday on Slashdot.

Here’s a little quote from Netcraft.

Many popular PHP-based blogging, wiki and content management programs can be exploited through a security hole in the way PHP programs handle XML commands. The flaw allows an attacker to compromise a web server, and is found in programs including PostNuke, WordPress, Drupal, Serendipity, phpAdsNew, phpWiki and phpMyFAQ, among others.

The flaw affects the XML-RPC function, which has many uses in web applications, including “ping” update notifications for RSS feeds. PHP libraries that allow applications to exchange XML data using remote procedure calls(RPC) fail to fully check incoming data for malicious commands. The affected libraries, including PHPXMLRPC and Pear XML-RPC, are included in many interactive applications written in PHP.

I took the steps necessary to upgrade my xml-rpc version. Did so by running this command on my web server: “pear upgrade XML_RPC”. I also upgraded hardened-php. The new version of Hardened-PHP fixes this xml-rpc problem. The new version of hardened-php is 0.3.0. Last version was 0.2.7. The hardened-php site also got a make-over. I think it looks very nice. It’s much easier to find the issues that are addressed in each hardened-php patch. As long as hardened-php is around, I’m going to use it. I’m glad they’re watching out for me. It’s great to see they’ve included a patch for this xml-rpc flaw already.

UPDATE: Although the report on Netcraft and the others say WordPress is affected, it isn’t if you’re running Matt, a WordPress developer, says they use “different, more secure libraries for XML-RPC”. He just made a post clearing up the confusion that WordPress is affected. Steve Mallett is on top of things too.