XML-RPC et WordPress

Vu dans un certain nombre de blogs et sources en ligne au cours des deux derniers jours, cet annonce conercnant une faille critique dans la fonction XML-RPC (lien en anglais):

Many popular PHP-based blogging, wiki and content management programs can be exploited through a security hole in the way PHP programs handle XML commands. The flaw allows an attacker to compromise a web server, and is found in programs including PostNuke, WordPress, Drupal, Serendipity, phpAdsNew, phpWiki and phpMyFAQ, among others.

(Lien complet sur Netcraft ici)

Je dois admettre qu’avant de lire ceci, je n’avais absolument aucune idée de ce qu’était XML-RPC. Cependant, aujourd’hui, Matthew Mullenweg (le créateur de WordPress) a publié cette entrée dans son blog (en anglais également):

To clarify for all the confused people WordPress is not affected by the recent XML-RPC problem that lots of other apps were. We use different, more secure libraries for XML-RPC. The problem was discovered by the same guy though, I imagine he was auditing our code and found totally unrelated, which we fixed in our recent release. Of course you wouldn’t guess that from the title, “PHP Blogging Apps Vulnerable to XML-RPC Exploits.” Let’s go down the list: PostNuke – content management; WordPress – blogging; Drupal – content/community management; Serendipity – blogging; phpAdsNew – ad serving; phpWiki – wiki (not blogging); phpMyFAQ – FAQ management. If it bleeds it leads, right?