PHP XML-RPC Vulnerability

As discussed on Slashdot, is another PHP library vulnerability that affects PEAR's XML-RPC module. James at GulfTech has demonstrated this vulnerability with an exploit. It turns out the PHP XML-RPC library uses eval() without checking, which allows arbitary PHP code to be executed if the XML-RPC message is cleverly crafted.

The latest version of PHP XML-RPC is already available, and you can also use:

# pear clear-cache
# pear upgrade XML_RPC

to update PEAR automatically. However, there are many hosts out, who do not follow security news closely, will not update the PEAR library for you. There are also versions of PHP XML-RPC libraries bundled with other existing applications that will not be updated, unless you also manually upgrade the whole package. As this vulnerability is serious - an attacker can insert arbitary PHP code which can easily lead to compromise of the whole system - I can smell the storm coming.

By the way, it has little to do with WordPress 1.5.1.3 security fix. While both are related to XML-RPC calls, they are actually quite independent patches. WordPress' issue is to do with not escaping the incoming data properly, which might result SQL injection. While all security bugs are bad, I reckon a SQL injection is not as easy to exploit as PHP code injection. Still, please upgrade your WordPress version.

And WordPress team still have not fixed the backslash issue in XML-RPC calls. Eagerly waiting for 1.5.1.4...

Update: Matt M addressed the potentially confused Slashdot crowd that the recent WordPress patch has little to do with XML-RPC vulnerability previously discovered, probably taken from someone's suggestion.