• Please be aware: Kaspersky Anti-Virus has been deprecated
    With the upgrade to Plesk Obsidian 18.0.64, "Kaspersky Anti-Virus for Servers" will be automatically removed from the servers it is installed on. We recommend that you migrate to Sophos Anti-Virus for Servers.
  • The Horde webmail has been deprecated. Its complete removal is scheduled for April 2025. For details and recommended actions, see the Feature and Deprecation Plan.
  • We’re working on enhancing the Monitoring feature in Plesk, and we could really use your expertise! If you’re open to sharing your experiences with server and website monitoring or providing feedback, we’d love to have a one-hour online meeting with you.

WARNING: PHP XML-RPC Vulnerability

J

jshanley

Guest
As seen on the PHP webpage - there is an exploitable security vulnerability in the XML-RPC module. Some people have reported attempts to exploit this vulnerability already.

This module is upgradeable by doing a:

pear upgrade XML_RPC

Plesk does not seem to ship with pear though (at least not on FreeBSD), so updating those systems will be a little more interesting.

Some software that uses XML-RPC, and may (or may not) be installed on your machines:

Wordpress, Postnuke, phpWiki, etc.

More info here and here .


Just giving a heads up. Hopefully SW-Soft will release a hotfox..

-J
 
only place on freebsd i found pear was in HORDE, i cant find a way to upgrade the RPC_XML though..
 
Fix

Victor K. @ sw-soft support was nice enough to mention that pearcmd.php can be used in place of the normal "pear" command.

Here is the way to fix your system, at least on FreeBSD. Note that Horde seems to use XML-RPC (at least it ships with it, so...)

1) edit /usr/local/psa/psa-horde/pear/pearcmd.php

change the line:

ini_set('include_path', '/home/jan/pear_root/share/pear');

to:

ini_set('include_path', '/usr/local/psa/psa-horde/pear');

2) Then do:

PHP: 
/usr/local/psa/apache/bin/php /usr/local/psa/psa-horde/pear/pearcmd.php upgrade XML_RPC
It will sit there for a few seconds, then update the module.

Just to be safe, I'd suggest restarting apache.

-J
 
Originally posted by Jllynch
Any one know the file locations for linux (Redhat)?
Click to expand...

On linux Plesk uses the system-provided PHP, so you should check your distro security updates.
 
But isn't the issue here updating the PSA version of PHP? The standard version of PHP can be simply updated with this command;

pear upgrade XML_RPC.
 
Originally posted by Jllynch
But isn't the issue here updating the PSA version of PHP? The standard version of PHP can be simply updated with this command;

pear upgrade XML_RPC.
Click to expand...

I dunno if PSA use pear and XML functions...
 
Originally posted by Jllynch
Any one know the file locations for linux (Redhat)?
Click to expand...
For RH, try:

/usr/share/pear/pearcmd.php
/usr/share/psa-horde/pear/pearcmd.php
 
Originally posted by EvolutionCrazy
I dunno if PSA use pear and XML functions...
Click to expand...

Well, Horde (webmail) on Plesk is released with XML-RPC included, so I would imagine that it uses it... I dont think the rest of Plesk uses it though, EXCEPT maybe for some of the packages in the Application Vault.
 
Originally posted by jshanley
Well, Horde (webmail) on Plesk is released with XML-RPC included, so I would imagine that it uses it... I dont think the rest of Plesk uses it though, EXCEPT maybe for some of the packages in the Application Vault.
Click to expand...

AFAIU, AppVault packages use system PHP, not the Plesk's one. IIRC, only phpMyAdmin and pgMyAdmin use PHP shipping with Plesk.
 
You must log in or register to reply here.

Similar threads

Automata
  • Poll
Input FEATURE REQUEST: Add SSH2 extension to PHP default extensions to improve security.
Replies
2
Views
3K
Automata
Automata
T
XML-RPC API & Examples
Replies
12
Views
6K
trialotto
T
J
How to start your online store with WooCommerce
Replies
0
Views
4K
joerg
J
S
Critical Plesk vulnerability
Replies
6
Views
5K
IgorG
IgorG
B
Upgrade to PHP 5.3 on CentOS 5.7 using Plesk 10.2
Replies
7
Views
7K
cgalpin
C
Back
Top