Stephan Esser from Hardened-PHP has reported yet another vulnerability in the XML-RPC library depended by many open source projects, and Drupal, the publishing platform that powers FOCUS church website, released security updates for their 4.6.x and 4.5.x branches.
Security advisory can be seen here. All Drupal users are encouraged to upgrade as soon as possible, or alternatively remove
xmlrpc.php from the root Drupal directory.
I took a look at the change log in 4.6.3, and noticed that there were more than just security updates. There are also some minor bug fixes, so I guess it is worthwhile to upgrade even if you do not use XML-RPC to post stories.
And instead of patching the old Useful Inc's XML-RPC library again, someone back-ported Drupal 4.7.0's new XML-RPC library, which is based on the Incutio XML-RPC Library. Much less brain dead than Userful Inc's one (that's the one we use at work), and hopefully will be more secure.
That was a great effort from the Drupal guys - less than 3 days of turn around from the announcement, code patched and new version released. Now I am wondering when the WordPress people will release a new version, as I can see the "register_globals" exploit is about to go wild...