Beta
×

Welcome to the Slashdot Beta site -- learn more here. Use the link in the footer or click here to return to the Classic version of Slashdot.

Thank you!

Before you choose to head back to the Classic look of the site, we'd appreciate it if you share your thoughts on the Beta; your feedback is what drives our ongoing development.

Beta is different and we value you taking the time to try it out. Please take a look at the changes we've made in Beta and  learn more about it. Thanks for reading, and for making the site better!

PHP Blogging Apps Open to XML-RPC Exploits

Zonk posted more than 9 years ago | from the batten-down-the-hatches dept.

The Internet 166

miller60 writes "A bunch of popular PHP-based blogging and content management apps are vulnerable to a security hole in the PHP libraries handling XML-RPC, which could allow a server compromise. Affected apps include Wordpress, Drupal, PostNuke, Serendipity, phpAdsNew, phpWiki and many more. The presence of the security hole in a large number of programs is among the factors leading the Internet Storm Center to warn that the environment is ripe for a major Internet security event."

cancel ×

166 comments

Sorry! There are no comments related to the filter you selected.

How to patch PHP/PEAR (5, Informative)

Anonymous Coward | more than 9 years ago | (#12981614)

From the command line:

pear clear-cache
pear upgrade XML_RPC

Re:How to patch PHP/PEAR (0, Offtopic)

xWastedMindx (636296) | more than 9 years ago | (#12981668)

or...
apt-get update; apt-get dist-upgrade

Re:How to patch PHP/PEAR (1)

iamdrscience (541136) | more than 9 years ago | (#12981744)

-bash: apt-get: command not found -bash: apt-get: command not found

Re:How to patch PHP/PEAR (1)

ciroknight (601098) | more than 9 years ago | (#12981793)

Who said to use Apt-get?

Re:How to patch PHP/PEAR (1)

cortana (588495) | more than 9 years ago | (#12981801)

Upgrade your distribution.

Oh wait, Debian's security support is still broken. Never mind.

Re:How to patch PHP/PEAR (3, Informative)

ScytheBlade1 (772156) | more than 9 years ago | (#12981867)

Well that was easy.

server bin # ./pear upgrade XML_RPC
downloading XML_RPC-1.3.1.tgz ...
Starting to download XML_RPC-1.3.1.tgz (25,310 bytes)
.........done: 25,310 bytes
upgrade ok: XML_RPC 1.3.1


How long.. (0)

Anonymous Coward | more than 9 years ago | (#12981615)

Worm anyone?

Re:How long.. (2, Funny)

Krankheit (830769) | more than 9 years ago | (#12981663)

A worm is not likely to be interested. Worms have a very simple nervous system (one "string"). Their motor skills are poor. Their central nervous system does not meet recommended requirements, but I am worried most that there is no keyboard compatible with worms. However, Google has developed a system to allow the pigeons they employ [google.com] to use computers to rank search result relevence. A modified version could work with an earthworm.

Makes me happy (4, Interesting)

orange haired boy (889758) | more than 9 years ago | (#12981616)

That I use Movable Type which won't be effected by this. Makes me sad that it's in PHP...since I love PHP. You can't have everything.

Re:Makes me happy (0)

BiggyP (466507) | more than 9 years ago | (#12981646)

Where does it categorically state that Movable Type isn't affected?

Re:Makes me happy (1)

orange haired boy (889758) | more than 9 years ago | (#12981655)

In the Story. Movable Type is written in Perl...not PHP. The problem is in the PHP XML-RPC libraries.

Re:Makes me happy (1)

BiggyP (466507) | more than 9 years ago | (#12981693)

erm, oops, indeed it is, i'm not sure why i assumed it was PHP.

Re:Makes me happy (4, Funny)

BoneFlower (107640) | more than 9 years ago | (#12981669)

Well, Perl tends to be invulnerable to PHP flaws in the vast majority of situations.

Re:Makes me happy (1)

hostyle (773991) | more than 9 years ago | (#12981672)

Movable Type was written in Perl last time I checked. These are PHP library vulnerabilities.

Re:Makes me happy (5, Insightful)

Sepodati (746220) | more than 9 years ago | (#12981934)

Makes me sad that it's in PHP...since I love PHP

This isn't a PHP vulnerability. It's another poorly written, widely used application that's vulernable because the developer fails to check external input. The vulnerability is in a PHP script that someone has written. It could have been written in any langauge; the fault is on the developer, not PHP.

---John Holmes...

Re:Makes me happy (1)

orange haired boy (889758) | more than 9 years ago | (#12982029)

You're correct. It's not a PHP problem. I'm only sad because of the association with PHP...perhaps like Microsoft is sad that Windows has some bad programs.

Re:Makes me happy (1)

onlyjoking (536550) | more than 9 years ago | (#12982082)

Read the article. It IS a PHP vuln. PHP's XML-RPC libraries are faulty.

Re:Makes me happy (-1, Troll)

Anonymous Coward | more than 9 years ago | (#12981954)

what kind of dipshit loves PHP? It a truly horrid piece of shit.

Smooth. (-1, Offtopic)

Anonymous Coward | more than 9 years ago | (#12981621)

Smooth.

Question: does this effect phpbb? (3, Informative)

RLiegh (247921) | more than 9 years ago | (#12981622)

God knows there's a ton of free (and probably poorly maintained) php boards out there.

Re:Question: does this effect phpbb? (4, Informative)

iamdrscience (541136) | more than 9 years ago | (#12981630)

No, PHPBB doesn't use either of the PHP XML RPC libraries that have been compromised because, well, PHPBB doesn't use XML at all.

Re:Question: does this effect phpbb? (0)

Anonymous Coward | more than 9 years ago | (#12981726)

this one? no, but there are dozen of other vulnerabilities for phbb : - )

Re:Question: does this effect phpbb? (1)

iamdrscience (541136) | more than 9 years ago | (#12981893)

...and plenty of security patches to go with them. For the most part PHPBB does a good job, although it's difficult to compare the number of vulnerabilities between board because of the X-factor popularity, i.e. do they have more vulnerabilites than other board just because they're more popular or because they're worse at programming too.

What I do know is that I once found a flaw in another PHP board I won't name and rather than fix it, I was told by the developers that they don't consider it a bug. Now, granted this bug didn't let and attacker execute arbitrary PHP or anything but it did allow them to hijack the sessions of anybody on the board and generally wreak havoc.

Re:Question: does this effect phpbb? (1)

1110110001 (569602) | more than 9 years ago | (#12982070)

The problems is the phpBB guys don't get it. First of all the rewrote phpBB and still have an awfull structured code. And they use things like serialized strings in cookies, but they don't think it's their fault if it raises problems.

b4n

Re:Question: does this effect phpbb? (0)

Anonymous Coward | more than 9 years ago | (#12981639)

I hope not as I just did an upgrade of phpbb last night, only to come across an unsuccessful install. However, all is working fine now.

Re:Question: does this effect phpbb? (1, Informative)

Anonymous Coward | more than 9 years ago | (#12981754)

No, but phpBB had a bug of its own recently - another hole in their highlight-handling code, very much like the one in 2.0.10 that allowed for Santy. Fixed in 2.0.16.

Re:Question: does this effect phpbb? (1)

cecil36 (104730) | more than 9 years ago | (#12981835)

The link below is more detailed information of the phpBB exploit.

http://www.phpfreaks.com/articles/245/0.php [phpfreaks.com]

obligatory Soviet Russia (-1, Offtopic)

Krankheit (830769) | more than 9 years ago | (#12981623)

In Soviet Russia, blogging apps connect to you.

How is this a problem? (5, Funny)

Anonymous Coward | more than 9 years ago | (#12981629)

A blog server compromise cannot possibly lead to worse content.

Here's how (3, Funny)

Anonymous Coward | more than 9 years ago | (#12981636)

It could lead to more blogs!

Re:How is this a problem? (1)

Alwin Henseler (640539) | more than 9 years ago | (#12981863)

A blog server compromise cannot possibly lead to worse content.

Good point:
  1. Set up *vulnerable* blog server or useless forum
  2. Monitor it to see when it's compromised, and what new content gets uploaded
  3. ???
  4. Profit! (profit = time savings in obtaining new pr0n and wareZ)

Re:How is this a problem? (1)

Ravatar (891374) | more than 9 years ago | (#12982158)

If anything, the exploiter will remove the blog from the face of the earth, saving us all a tiny shred of annoyance.

this is news? (5, Informative)

xWastedMindx (636296) | more than 9 years ago | (#12981632)

wordpress released a fix for this [wordpress.org] on June 29. Changelog for 1.5.1.3 [wordpress.org]

Re:this is news? (1)

iamdrscience (541136) | more than 9 years ago | (#12981716)

It's news because just because something was patched by the developers 5 days ago doesn't mean that every user has patched their installations. I'm rather certain that the vast majority of people running these programs haven't patched them (or at least hadn't patched them until they read this slashdot post).

Re:this is news? (1)

tyagiUK (625047) | more than 9 years ago | (#12981727)

Kudos to the Wordpress guys for releasing a fix before the PHP exploit was widely broadcast. The upgrade was simple and fast.

Obviously, those Black Hats who wanted to know this stuff would already know it. The early release of this information to PHP-based developers did, however, limit the damage done by worms based on the exploit (see PHPBB exploit in December 2004).

Re:this is news? (1)

deathazre (761949) | more than 9 years ago | (#12981782)

now, honest question here, is this the same exploit that has had gentoo hard-masking wordpress for some time now?

Re:this is news? (1)

1110110001 (569602) | more than 9 years ago | (#12982059)

Yeah and Tobias Schlitt of Pear posted about it on the same day in his blog: http://www.schlitt.info/applications/blog/index.ph p?/archives/349-PEARXML_RPC-Security-vulnerability !.html [schlitt.info] and other PHP software, like Bitflux http://blog.bitflux.ch/archive/2005/06/29/bxcms-1- 2-1-security-bugfix-release-codename-not-our-fault -2.html [bitflux.ch] , was patched on June 29th too.

http://www.php.net/ [php.net] had a news entry about the issue last week. So everyone should have patched their pear-libs in the meanwhile.

b4n

Wouldn't This Be Called an XML Injection Attack? (2, Interesting)

DanielMarkham (765899) | more than 9 years ago | (#12981635)

I know when the same technique is used to compromise web sites with SQL in the back end it's called SQL injection. [unixwiz.net] I guess this would be XML Injection? Or perhaps PHP Injection and XML is only the wrapper. XML Injection sounds cooler.

New wireless technology called XMax? [whattofix.com]

Re:Wouldn't This Be Called an XML Injection Attack (1)

haakondahl (893488) | more than 9 years ago | (#12981703)

XML Injection sounds cooler.
My rig's a dual-cooled PPC 975 with XML Injection and a Slashdot gearshift knob. Yea-a-a-ah, Buddy.

Re:Wouldn't This Be Called an XML Injection Attack (0)

Anonymous Coward | more than 9 years ago | (#12981759)

lol

Re:Wouldn't This Be Called an XML Injection Attack (0)

Anonymous Coward | more than 9 years ago | (#12981732)

Indeed, SQL injection attacks inject and run SQL commands, so this vulnerability would be a PHP Injection attack, as it's PHP code that gets executed on the server.

unhealthy (1, Offtopic)

isnochys (566268) | more than 9 years ago | (#12981645)

blogging will lead to insane children
--
www.isnochys.com

Choice of words (5, Funny)

Valacosa (863657) | more than 9 years ago | (#12981647)

"...major Internet security event."

A euphemism if I've ever heard one. Can I think of a better euphemism?

"Wardrobe malfunction"

Ah, there it is.

Re:Choice of words (1)

haakondahl (893488) | more than 9 years ago | (#12981739)

Can I think of a better euphemism? "Wardrobe malfunction"
Actually, I prefer your meta-euphemism.

I hear sirens. Wooo. Woooo. Woo wooo. (5, Funny)

dotslashdot (694478) | more than 9 years ago | (#12981666)

The Internet Storm Center Reports that a high pressure coding flaw in PHP has created an error mass large enough to cause a rotation in sysadmin heads and has issued a red hat/flag Internet surf warning for all surfing sites.

Re:I hear sirens. Wooo. Woooo. Woo wooo. (1)

jd (1658) | more than 9 years ago | (#12981682)

I thought the high pressure region in PHP was responsible for fine weather but storms later.

XML-RPC sucks. (0, Flamebait)

Anonymous Coward | more than 9 years ago | (#12981667)

It always did. It always will.

noticed something in my webserver logs (2, Interesting)

backslashdot (95548) | more than 9 years ago | (#12981671)

I saw a request for phpmyadmin/index.php in one of my web server logs on July 1st around 4 AM EDT ..

About 2 and a half hours ago i saw a request for phpmyadmin/index.php in my web server logs as well.

I dont have PHP or any forums installed ..and in the couple years my web server has been up (somewhat aporadically though) i havent seen this request (just grepped the logs).

So my opinion is that this attack is in the wild. Can someone confirm?

Re:noticed something in my webserver logs (1)

xWastedMindx (636296) | more than 9 years ago | (#12981710)

I just checked my logs.. and nothing. Then again I upgraded my Wordpress install the day WP came out with a fix. ;) you're best bet is to just delete the xmlrpc.php file, if you got one.

In the wild? (2, Informative)

Saeed al-Sahaf (665390) | more than 9 years ago | (#12981766)

... I saw a request for phpmyadmin/index.php in one of my web server logs...

and...

So my opinion is that this attack is in the wild. Can someone confirm?

Probably just some script kiddie looking for a phpMyAdmin install not behind a password.

Re:noticed something in my webserver logs (0)

Anonymous Coward | more than 9 years ago | (#12981905)

I can confirm. I run a private server where the only user is mostly me. And even I got some signs of the attack, for example these folders are trying to be accessed: /var/www/forum /var/www/phpBB /var/www/forums /var/www/phpbb /var/www/board /var/www/boards /var/www/phpBB2 /var/www/msgboard /var/www/foros /var/www/portal

Re:noticed something in my webserver logs (1)

sleeper0 (319432) | more than 9 years ago | (#12982053)

exploit doesnt effect PHPBB, so this is unrelated - there are plenty of other phbb exploits. Similar to the grandparent, those were unrelated scans for an unprotected base php install.

as far as it being "in the wild" since the web page explains exactly how to perform it in a few lines of code, that should qualify as in the wild.

Re:noticed something in my webserver logs (0)

Anonymous Coward | more than 9 years ago | (#12982067)

So my opinion is that this attack is in the wild. Can someone confirm?

Yes, it is your opinion by virtue that you were the one who said it. Unless you usually say things that aren't your opinion, your statement was correct.

HTH. HAND.

i was hacked yesterday (2, Funny)

larry bagina (561269) | more than 9 years ago | (#12981681)

via this exploit. i was at my box (an old pentium II running gentoo, natch) when it happened. I heard the disk start thrashing and new something was wrong so i pulled the plug on it, before it could be turned into a spam-spewing zombie (or worse). If you don't have tripwire to verify nothing was trojaned, you should probably wipe your hard drive and reinstall.

This appears to be the same exploit that hackers used on cowboyneal.org a few months back.

Re:i was hacked yesterday (3, Insightful)

DrSkwid (118965) | more than 9 years ago | (#12981748)

sounds like you are a bit paranoid thewrre larry me old beauty

not quite got a handle on locking your box down so your web server can only write to specific directories huh, well, you might learn now.

Not running your webserver chrooted ? well, you might learn now.

Wiping your hard drive is very Windows.

Re:i was hacked yesterday (2, Funny)

Anonymous Coward | more than 9 years ago | (#12982031)

Let's think about this for a second.

Pentium II.. Gentoo.. Wiped.

Ouch. I wouldn't wanna' watch him reinstall that.

Re:i was hacked yesterday (2, Informative)

myov (177946) | more than 9 years ago | (#12982174)

If a box is compromised, the only way to know you have removed everything is to wipe it and reinstall from clean media. It doesn't matter what platform.

On the insecurity of PHP blogging (3, Informative)

Haiku 4 U (580059) | more than 9 years ago | (#12981686)

Use alternatives!
Why not an app called Blosxom? [blosxom.com]
It's tiny Perl scripts.

slashcode it is then (1)

grqb (410789) | more than 9 years ago | (#12981705)

For once I don't regret using slashcode then! I'm sure there must be other reasons...

Don't want to bash PHP.... (3, Interesting)

afra242 (465406) | more than 9 years ago | (#12981712)

I really don't want to bash PHP - it seems flexible. However, after having people break into my server through phpBB and Gallery, I replaced those apps with their mod_perl equivalents, and things are working faster and more secure. Having said that, it was hard to find the Perl equivalents and even hard to find good support for it (ie. themes, etc). I'm still looking for a good Gallery replacement written in Perl.

Obviously, security issues aren't always the language but usually come from the people who write it. It just seems to me that, since PHP is more popular for writing forums, image galleries, etc, that there are a lot more careless coders out there coding in PHP.

phpBB is a good example of this. Every other week, they have some security issue.

Re:Don't want to bash PHP.... (1)

DrSkwid (118965) | more than 9 years ago | (#12981763)

I've waded through the php code on a few of the major php projects out there.

I can only say that I was shocked in the first one, I was battle hardened by the time I untarred number two.

sql injection & register_globals were my favourite finds.

"you need to have your files set to chmod 777 for this to work" is another pearler.

Re:Don't want to bash PHP.... (2, Informative)

Mr2001 (90979) | more than 9 years ago | (#12981826)

"you need to have your files set to chmod 777 for this to work" is another pearler.

This is necessary because mod_php runs scripts as the same user who started httpd, usually "nobody", so any files you want your PHP scripts to write to has to be world-writable. The problem would go away if mod_php could just run PHP scripts as their owners, instead of as the user running httpd!

You can already install suphp to do this, but you pay a performance penalty, since it has to start a new process for each invocation.

mod_php's advantage is that it runs scripts in the httpd process, so of course they have the same permissions as the user running httpd. But it could be changed: spawn a new process for each unique user who owns a PHP script (setuid to that user), and have the main httpd process communicate to the appropriate user's child process via a local socket whenever it's time to run one of their scripts. Then you only have to spawn one process for each user, and once that's done, the scripts could run just as fast as they do now.

Re:Don't want to bash PHP.... (1)

cortana (588495) | more than 9 years ago | (#12981887)

Apache2 does that with the Perchild MPM. Unfortunatly this can't be used with PHP without running into insoluble threading issues. :(

Re:Don't want to bash PHP.... (1)

Mr2001 (90979) | more than 9 years ago | (#12981976)

This Perchild MPM [apache.org] ? "This module is not functional. Development of this module is not complete and is not currently active. Do not use perchild unless you are a programmer willing to help fix it." Doesn't seem like something I could use for a production web site. ;)

Re:Don't want to bash PHP.... (1)

geekdreams (881813) | more than 9 years ago | (#12982098)

Doesn't seem like something I could use for a production web site. ;)
Neither does Apache 2.

Re:Don't want to bash PHP.... (1)

Fweeky (41046) | more than 9 years ago | (#12981891)

mod_fastcgi allows suexec of application servers using the process manager. All the speed of mod_php/perchild hacks and more isolation and portability.

Re:Don't want to bash PHP.... (4, Informative)

EvilIdler (21087) | more than 9 years ago | (#12982019)

Thank goodness for suPHP:
http://www.suphp.org/Home.html [suphp.org]

My host uses this, so I don't need world-readable files and directories in my
~/www/ directories for each site. The webserver may run as nobody, but the
PHP scripts run as the same user I log in as to upload the files.

Re:Don't want to bash PHP.... (5, Funny)

Mr2001 (90979) | more than 9 years ago | (#12982047)

BTW, suphp is my favorite way to check the overall status of an HP-UX system.

# suphp
Not much, runnin' some processes. 'Sup with you?

Re:Don't want to bash PHP.... (1)

uss_valiant (760602) | more than 9 years ago | (#12982038)

the solution is php-fastcgi+suExec. fastcgi and not cgi, because cgi is too slow, especially for shared webhosting. suExex is used to run each php instance under the corresponding account's user.

Re:Don't want to bash PHP.... (1)

onlyjoking (536550) | more than 9 years ago | (#12982110)

No, the REAL solution is Persistent Perl.

Re:Don't want to bash PHP.... (0)

Anonymous Coward | more than 9 years ago | (#12982135)

This is necessary because mod_php runs scripts as the same user who started httpd, usually "nobody", so any files you want your PHP scripts to write to has to be world-writable.

Just create a separate daemon that runs as a separate user id (daemontools is perfect for this, no special daemon programming required on your part), and have the web process communicate with the daemon using a simple well-defined protocol over a socket. Then if someone takes over the web server, they can only do whatever that protocol allows them to.

These problems were solved years ago. Just partition your processes. Ignorance is not an excuse.

Re:Don't want to bash PHP.... (2, Funny)

KhaZ (160984) | more than 9 years ago | (#12981780)

The reason that noone's hacked the Perl equivs. is that not even the hackers want to code in Perl.

(Jus' trolling. I'd write in BrainFuck [muppetlabs.com] over Perl.)

Re:Don't want to bash PHP.... (3, Insightful)

Saeed al-Sahaf (665390) | more than 9 years ago | (#12981796)

Obviously, security issues aren't always the language but usually come from the people who write it. It just seems to me that, since PHP is more popular for writing forums, image galleries, etc, that there are a lot more careless coders out there coding in PHP.

Exactly. And, this is a very important point that all the Perl / Ruby / Python / Whatever FANBOYS like to ignore.

phpBB is a good example of this. Every other week, they have some security issue.

Come on now, you know very well that's an exageration.

Re:Don't want to bash PHP.... (1, Insightful)

Anonymous Coward | more than 9 years ago | (#12981811)

phpBB is a good example of this. Every other week, they have some security issue.

Come on now, you know very well that's an exageration.


Seriously, at least once a week.

PHP definitely needs to be less ad hoc (1)

ShatteredDream (636520) | more than 9 years ago | (#12981860)

The biggest problem I have always had with PHP is that it has never struck me like it was developed by a team and community that had any genuine sense of direction like the Perl and Python teams. IMO, what'd be a real coup for the Python community would be to really work on getting mod_python's PSP support distributed around to as many hosts as possible. It's a lot easier to write good code in Python than it is in PHP.

Re:Don't want to bash PHP.... (1)

uss_valiant (760602) | more than 9 years ago | (#12982001)

You don't need a perl replacement for Gallery.
Choose G2 (Gallery 2), you will notice that it's a whole new application. It has no code in common with Gallery 1. And all inputs are checked thorougly.
It's the cleanest PHP code I've ever seen. No spaghetti code. See: G2 Development Guidelines [menalto.com] . (G2 is almost finished, it's in its last beta cycle)

Re:Don't want to bash PHP.... (1)

Sepodati (746220) | more than 9 years ago | (#12982026)

there are a lot more careless coders out there coding in PHP.

That's exactly the issue. This isn't a PHP vulnerability. It's a poorly written script that doesn't check input properly.

It annoys me to see PHP blamed for stuff like this when it's poor programmers that should be blamed. PHP is just easy to learn, so there are a lot of bad programmers out there creating scripts like this.

I can't honestly say the xml-rpc scripts are bad because of this one issue, though, as I've never used it and only looked at the source after this story was posted.

---John Holmes...

Re:Don't want to bash PHP.... (2, Interesting)

Anonymous Coward | more than 9 years ago | (#12982075)

I really don't want to bash PHP - it seems flexible.

You should bash PHP. It's an awful language. I don't think I'd call it flexible. I might call Lisp flexible. Try sorting an array of objects by comparing a field from each object in PHP. Now try it in Ruby. But that's not important at the moment, after all, we all had to start somewhere.

However, after having people break into my server through phpBB and Gallery, I replaced those apps with their mod_perl equivalents

This has nothing to do with PHP itself. Your server is no more secure today than it was last week.

The problem is a simple one: PHP is popular, so it attracts a lot of programmers. I would estimate that about 80% of all programmers (open-source or otherwise) are just incompetent, so phpBB, WordPress, etc., are written VERY poorly.

phpBB is a good example of this. Every other week, they have some security issue.

Again, it has NOTHING to do with the language. Take a look at phpBB's source code. Take a look at the code that contained the security hole patched recently:

$message = str_replace('\"', '"', substr(@preg_replace('#(\>(((?>([^><]+|(?R)))*)\<) )#se', "@preg_replace('#\b("
. str_replace('\\', '\\\\', addslashes($highlight_match)) . ")\b#i', '<span style=\"color:#" . $theme['fontcolor3'] . "\"><b>\\\\
1</b></span>', '\\0')", '>' . $message . '<'), 1, -1));

phpBB is fulll of crap like that. This is what you're trusting your server security to. "Are you feeling lucky"?

... lucky (1)

onlyjoking (536550) | more than 9 years ago | (#12982139)

This here's a 48 Magnum that'll blow your head right off. Now you gotta ask yourself one question, "Do I feel lucky?". Well, DO YA, PUNK?

Re:Don't want to bash PHP.... (1)

otis wildflower (4889) | more than 9 years ago | (#12982159)

You should bash PHP. It's an awful language.

Thanks for validating my own budding prejudice!

Seriously, data 'structures' and OO in PHP are teh unfun. Perl may look like line noise but at least it's _meaningful_ line noise.. $@% are distinct sigils, though () and [] could be differentiated better.

My God! (1)

iamdrscience (541136) | more than 9 years ago | (#12981728)

PostNuke has a serious security vulnerability? I am SOOOOO surprised!

Not PostNuke's issue this time, though... (1)

Sepodati (746220) | more than 9 years ago | (#12982046)

Normally I'd agree, but in this case, it's a PHP script written by someone else that's vulnerable. Any application using the xml-rpc server script (a plain old PHP script) is vulnerable becaus the developer didn't check user input.

---John Holmes...

Why PHP? (2, Insightful)

mcc (14761) | more than 9 years ago | (#12981736)

It seems like there's a lot of security advisories along these lines lately and they mostly seem to revolve around PHP site engines. Why PHP? Why not perl, or python, or Ruby?

Is there something about PHP that's making these things likely as opposed to some other language (which seems unlikely, there's plenty of simple mistakes you can make just as easily in perl, i.e. poor scrubbing of regexp/sql content), or is it just that there are more inexperienced people writing PHP code out there, or is it just that PHP site engines are getting installed by more security-inexperienced people, or are the PHP exploits getting publicized more, or am I just noticing them more?

What's going on here?

Re:Why PHP? (0)

Anonymous Coward | more than 9 years ago | (#12981816)

Well, because it's shit.

I don't call it 'the tool for tools' for nothing.

Re:Why PHP? (4, Insightful)

eddy the lip (20794) | more than 9 years ago | (#12981892)

...or is it just that there are more inexperienced people writing PHP code out there...

Bingo...PHP has a very low barrier to entry. Add to that that it's mainly used in a networked environment, and you're going to have problems. You could code up this exact same problem in perl - the only difference is that by the time you knew enough to get input from the network into your script and passed to eval, you'd probably have had it beaten into you that it's a crime punishable with flogging.

There may be cultural differences at work here as well. XML-RPC is in PEAR and often recommended as a good way of implementing this kind of functionality. This isn't a bug-free guarantee, but there should be some minimal level of quality implied by that. Passing untrusted input directly to eval is gross negligence, and it sort of amazes me that no one noticed this before. I've read a lot of PHP and a lot of perl. It's easy to find crap, bug-riddled code in both. The main difference seems to be that crappy perl code isn't tolerated near so quickly. Crappy PHP code becomes a flagship application.

Re:Why PHP? (3, Insightful)

Saeed al-Sahaf (665390) | more than 9 years ago | (#12981918)

...Is there something about PHP that's making these things likely as opposed to some other language...

See below.

...or is it just that there are more inexperienced people writing PHP code out there...

Yes.

...or is it just that PHP site engines are getting installed by more security-inexperienced people...

Yes.

...or are the PHP exploits getting publicized more...

Yes.

...or am I just noticing them more...

Yes.

Re:Why PHP? (1)

iamdrscience (541136) | more than 9 years ago | (#12981924)

I'd attribute it to the fact that PHP is a more popular platform, more people programming in PHP means more software using PHP, more software using PHP means more users running that software, more PHP web apps running means more people trying to exploit those web apps.

The fact that there are more inexperience people writing PHP code is something that contributes to PHP web apps as a whole, but not really to these recent big exploits particularly.

Re:Why PHP? (0)

Anonymous Coward | more than 9 years ago | (#12981926)

The real problem is that PHP is installed on nearly every web server, so any issues which occur affect a large number of servers. There are some other issues as well. There are a number of widely used popular apps which are poorly coded, allowing for SQL injection, cross site scripting attacks, among other things. As far as PHP itself goes, the kitchen sink approach to its function library allows more bugs to occur in the language itself. Adoption of something similar to Perl's tainted variable checking would help quite a bit with the poor coding.

WordPress Fix (0)

Anonymous Coward | more than 9 years ago | (#12981740)

There's already a fix for WordPress.

We would like to announce that WordPress 1.5.1.3 is now released as we continue the availablity of a highly stable and extremely popular branch based on the 1.5 Strayhorn codebase. Development has moved on to some exciting new features for the next major release, but an important security issue was brought to our attention which required an update for our users. The problem is not yet public but you should update your blog as soon as possible to 1.5.1.3. If you are unable to do upgrade in the short-term you may protect yourself by deleting the xmlrpc.php file from your WordPress directory.

Un-Exploitable (1)

Manip (656104) | more than 9 years ago | (#12981743)

If I read this correctly the venerability lies in how these blogging programs fetch RSS feeds from various places in that they don't check the input first. What are the chances that any popular blogs will link to sites likely to exploit this? And know how?

A worm is very unrealistic for the simple reason that blogging isn't popular enough and crossed linked well enough. Although there are junctions in blogging networks very few automated blogs pull from these areas, they are primarily designed for user use.

I'm sure this 'Internet Storm Centre' loved all this attention but it doesn't reflect on how good their alerts are or if there are any experts.

Patching Serendipity (1)

raarky (653241) | more than 9 years ago | (#12981747)

From the s9y forums:

http://www.s9y.org/forums/viewtopic.php?t=2034 [s9y.org]

Save yourself the hassle of doing a complete upgrade by simply downloading the new version an only copying the files from bundled-libs/XML/*

Stupid eval... (1)

Spy der Mann (805235) | more than 9 years ago | (#12981770)

it amazes me people still use that thing. Scary. Nasty. Creepy.
Should be forbidden from php.

Ironically, didn't the Windows Logo Certification forbid people from using "system"?

(ouch)

of course this has nothing to do with linux (-1, Offtopic)

Anonymous Coward | more than 9 years ago | (#12981772)

linux is still super stable secure etc etc etc.
only if you have php on windows should you worry.

W00t fMp (-1, Offtopic)

Anonymous Coward | more than 9 years ago | (#12981788)

Re:W00t fMp (-1, Offtopic)

Anonymous Coward | more than 9 years ago | (#12981882)

Pumpkin!

Open-source, bah! (0, Offtopic)

tonyblake2003 (892461) | more than 9 years ago | (#12981808)

How *dare* an open-source product have bugs! This is exactly the reason that I threw my MSWin servers into the sea. Now you're expecting me to update my PHP libs? God almighty, you're all the same.

mod_perl (0, Flamebait)

holy zarquon's singi (640532) | more than 9 years ago | (#12981936)

And that's exactly why I use mod_perl for this kind of stuff. That and perl is a more flexible language

kdedevelopers.org hit by this earlier today. (0)

Anonymous Coward | more than 9 years ago | (#12982023)

kdedevelopers.org was hit by this flaw earlier today. And drupal's website no longer seems to have a list of drupal-using websites (I would suppose for this reason).
Load More Comments
Slashdot Login

Need an Account?

Forgot your password?

Submission Text Formatting Tips

We support a small subset of HTML, namely these tags:

  • b
  • i
  • p
  • br
  • a
  • ol
  • ul
  • li
  • dl
  • dt
  • dd
  • em
  • strong
  • tt
  • blockquote
  • div
  • quote
  • ecode

"ecode" can be used for code snippets, for example:

<ecode>    while(1) { do_something(); } </ecode>