• If you are still using CentOS 7.9, it's time to convert to Alma 8 with the free centos2alma tool by Plesk or Plesk Migrator. Please let us know your experiences or concerns in this thread:
    CentOS2Alma discussion

WARNING: PHP XML-RPC Vulnerability

J

jshanley

Guest
As seen on the PHP webpage - there is an exploitable security vulnerability in the XML-RPC module. Some people have reported attempts to exploit this vulnerability already.

This module is upgradeable by doing a:

pear upgrade XML_RPC

Plesk does not seem to ship with pear though (at least not on FreeBSD), so updating those systems will be a little more interesting.

Some software that uses XML-RPC, and may (or may not) be installed on your machines:

Wordpress, Postnuke, phpWiki, etc.

More info here and here .


Just giving a heads up. Hopefully SW-Soft will release a hotfox..

-J
 
only place on freebsd i found pear was in HORDE, i cant find a way to upgrade the RPC_XML though..
 
Fix

Victor K. @ sw-soft support was nice enough to mention that pearcmd.php can be used in place of the normal "pear" command.

Here is the way to fix your system, at least on FreeBSD. Note that Horde seems to use XML-RPC (at least it ships with it, so...)

1) edit /usr/local/psa/psa-horde/pear/pearcmd.php

change the line:

ini_set('include_path', '/home/jan/pear_root/share/pear');

to:

ini_set('include_path', '/usr/local/psa/psa-horde/pear');

2) Then do:

PHP:
/usr/local/psa/apache/bin/php /usr/local/psa/psa-horde/pear/pearcmd.php upgrade XML_RPC
It will sit there for a few seconds, then update the module.

Just to be safe, I'd suggest restarting apache.

-J
 
Originally posted by Jllynch
Any one know the file locations for linux (Redhat)?

On linux Plesk uses the system-provided PHP, so you should check your distro security updates.
 
But isn't the issue here updating the PSA version of PHP? The standard version of PHP can be simply updated with this command;

pear upgrade XML_RPC.
 
Originally posted by Jllynch
But isn't the issue here updating the PSA version of PHP? The standard version of PHP can be simply updated with this command;

pear upgrade XML_RPC.

I dunno if PSA use pear and XML functions...
 
Originally posted by Jllynch
Any one know the file locations for linux (Redhat)?
For RH, try:

/usr/share/pear/pearcmd.php
/usr/share/psa-horde/pear/pearcmd.php
 
Originally posted by EvolutionCrazy
I dunno if PSA use pear and XML functions...

Well, Horde (webmail) on Plesk is released with XML-RPC included, so I would imagine that it uses it... I dont think the rest of Plesk uses it though, EXCEPT maybe for some of the packages in the Application Vault.
 
Originally posted by jshanley
Well, Horde (webmail) on Plesk is released with XML-RPC included, so I would imagine that it uses it... I dont think the rest of Plesk uses it though, EXCEPT maybe for some of the packages in the Application Vault.

AFAIU, AppVault packages use system PHP, not the Plesk's one. IIRC, only phpMyAdmin and pgMyAdmin use PHP shipping with Plesk.
 
Back
Top