July 4th, 2005


PHP c0ders s0 gr3at

First read this.

Second, laugh.

The flaw allows an attacker to compromise a web server, and is found in programs including PostNuke, WordPress, Drupal, Serendipity, phpAdsNew, phpWiki and phpMyFAQ, among others.
The XML-RPC flaw was discovered by James Bercegay of GulfTech Security Research. Bercegay found that the libraries are "vulnerable to a very high risk remote php code execution vulnerability that may allow for an attacker to compromise a vulnerable webserver ... By creating an XML file that uses single quotes to escape into the eval() call an attacker can easily execute php code on the target server."
Hahahaha. I love the PHP community, that nobody found this in all this time. Does nobody audit the libaries they use?