NOTICE:
This content is in the "archives" of a retired blog called Gadgetopia. It has been moved to this subdomain as it is no longer considered relevant to the site. It is being hosted here for a indeterminate period of time. Its existence at this URL is not guaranteed, and it may be removed at any time. If you would like to refer to this content in the future, you are encouraged to save it to your local file system.

Some content from Gadgetopia was moved to the technical blog on deanebarker.net

PHP XML-RPC Vulnerability

Originally published by "dbarker" on 2005-07-05 15:04:00Z

PHP Blogging Apps Vulnerable to XML-RPC Exploits: This is very, very bad.

Many popular PHP-based blogging, wiki and content management programs can be exploited through a security hole in the way PHP programs handle XML commands. The flaw allows an attacker to compromise a web server, and is found in programs including PostNuke, WordPress, Drupal, Serendipity, phpAdsNew, phpWiki and phpMyFAQ, among others.

[…] By creating an XML file that uses single quotes to escape into the eval() call an attacker can easily execute php code on the target server.

Ouch.

Comment by "Glenn" on 2005-07-06 17:27:00Z
Actually, Wordpress is fine (see [Matt](http://photomatt.net/2005/07/05/xml-rpc-vulnerability/))