Yzabel / July 6, 2005

Seen in many blogs and online sources in the past two days is this announcement regarding a critical flaw in the XML-RPC PHP function:

Many popular PHP-based blogging, wiki and content management programs can be exploited through a security hole in the way PHP programs handle XML commands. The flaw allows an attacker to compromise a web server, and is found in programs including PostNuke, WordPress, Drupal, Serendipity, phpAdsNew, phpWiki and phpMyFAQ, among others.

(Full article from Netcraft here)I must admit that before reading that, I had absolutely no idea of what XML-RPC was. However, as of today, Matthew Mullenweg (creator of WordPress) has released this statement in his blog:

To clarify for all the confused people WordPress is not affected by the recent XML-RPC problem that lots of other apps were. We use different, more secure libraries for XML-RPC. The problem was discovered by the same guy though, I imagine he was auditing our code and found totally unrelated, which we fixed in our recent release. Of course you wouldn’t guess that from the title, “PHP Blogging Apps Vulnerable to XML-RPC Exploits.” Let’s go down the list: PostNuke – content management; WordPress – blogging; Drupal – content/community management; Serendipity – blogging; phpAdsNew – ad serving; phpWiki – wiki (not blogging); phpMyFAQ – FAQ management. If it bleeds it leads, right? 😉

Best to upgrade to 1.5.1.3 anyway. After all, updates are meant to be used!