1. Please take a little time for this simple survey! Thank you for participating!
    Dismiss Notice

WARNING: PHP XML-RPC Vulnerability

Discussion in 'Plesk for Linux - 8.x and Older' started by jshanley, Jul 4, 2005.

  1. jshanley

    jshanley Guest

    0
     
    As seen on the PHP webpage - there is an exploitable security vulnerability in the XML-RPC module. Some people have reported attempts to exploit this vulnerability already.

    This module is upgradeable by doing a:

    pear upgrade XML_RPC

    Plesk does not seem to ship with pear though (at least not on FreeBSD), so updating those systems will be a little more interesting.

    Some software that uses XML-RPC, and may (or may not) be installed on your machines:

    Wordpress, Postnuke, phpWiki, etc.

    More info here and here .


    Just giving a heads up. Hopefully SW-Soft will release a hotfox..

    -J
     
  2. nihaopaul

    nihaopaul Guest

    0
     
    only place on freebsd i found pear was in HORDE, i cant find a way to upgrade the RPC_XML though..
     
  3. jshanley

    jshanley Guest

    0
     
    Fix

    Victor K. @ sw-soft support was nice enough to mention that pearcmd.php can be used in place of the normal "pear" command.

    Here is the way to fix your system, at least on FreeBSD. Note that Horde seems to use XML-RPC (at least it ships with it, so...)

    1) edit /usr/local/psa/psa-horde/pear/pearcmd.php

    change the line:

    ini_set('include_path', '/home/jan/pear_root/share/pear');

    to:

    ini_set('include_path', '/usr/local/psa/psa-horde/pear');

    2) Then do:

    PHP:
    /usr/local/psa/apache/bin/php /usr/local/psa/psa-horde/pear/pearcmd.php upgrade XML_RPC
    It will sit there for a few seconds, then update the module.

    Just to be safe, I'd suggest restarting apache.

    -J
     
  4. Jllynch

    Jllynch Regular Pleskian

    28
     
    Joined:
    Nov 11, 2003
    Messages:
    240
    Likes Received:
    0
  5. dm__@

    dm__@ Guest

    0
     
    On linux Plesk uses the system-provided PHP, so you should check your distro security updates.
     
  6. EvolutionCrazy

    EvolutionCrazy Basic Pleskian

    23
    90%
    Joined:
    Jun 4, 2005
    Messages:
    65
    Likes Received:
    0
  7. Jllynch

    Jllynch Regular Pleskian

    28
     
    Joined:
    Nov 11, 2003
    Messages:
    240
    Likes Received:
    0
    But isn't the issue here updating the PSA version of PHP? The standard version of PHP can be simply updated with this command;

    pear upgrade XML_RPC.
     
  8. EvolutionCrazy

    EvolutionCrazy Basic Pleskian

    23
    90%
    Joined:
    Jun 4, 2005
    Messages:
    65
    Likes Received:
    0
    I dunno if PSA use pear and XML functions...
     
  9. jamesyeeoc

    jamesyeeoc Guest

    0
     
    For RH, try:

    /usr/share/pear/pearcmd.php
    /usr/share/psa-horde/pear/pearcmd.php
     
  10. jshanley

    jshanley Guest

    0
     
    Well, Horde (webmail) on Plesk is released with XML-RPC included, so I would imagine that it uses it... I dont think the rest of Plesk uses it though, EXCEPT maybe for some of the packages in the Application Vault.
     
  11. dm__@

    dm__@ Guest

    0
     
    AFAIU, AppVault packages use system PHP, not the Plesk's one. IIRC, only phpMyAdmin and pgMyAdmin use PHP shipping with Plesk.
     
Loading...