| « Editing permissions | SQL injection vulnerability » |
XML-RPC vulnerability
2005-07-05
15:50:29, by Francois Planque 
, 121 words 
Categories: Critical, Version 0.8.7 "Cream", Version 0.8.9 "Spring", Other versions, Version 0.8.6.2 "Snow", Version 0.9.0.3 "Europe", Version 0.9.0.5 "Berlin", Version 0.9.0.8 "Oslo", Version 0.9.0.9 "Madrid", Version 0.9.0.11 "Paris", Version 0.9.0.10 "Copenhagen", Version 0.9.0.12 "Amsterdam"
XML-RPC vulnerability
A critical security issue has been discovered in the XML-RPC for PHP that most applications use, including b2evolution.
It is highly recommended you fix you installation by downloading this patch file and unzipping it into you /blogs/b2evocore/ folder. This should overwrite the two following files:
- _functions_xmlrpc.php
- _functions_xmlrpcs.php
UPDATE: The authors of the XML-RPC library have released a new version. The previous one may not be sufficiently secure. Thus there is a new patch file available for b2evolution. It must be installed in the exact same manner.
This patch has been tested on the latest 0.9.0.12 "Amsterdam" release but is believed to work on all 0.9.0.x versions.
The patch will be included in future releases.
6 comments
Thanks :)i was wondering, when will you update the "stats" engine + Banning function of B2evolution.
I explain, when you have thousands of spam referers, it would be easier to have " des cases a cocher" to ban referers instead of banning them 1 after 1. you simply could select all you want, and ban them in few clicks. that would be a very great improvement for sure :)
Respects,
Ben b.
2005-07-06 @ 13:49
Comment from: André Mondri [Visitor]
It is impossible to extract the Patch Zipfile with 7-zip and PowerArchivier on Windows XP SP2.
2005-07-13 @ 20:26
Andre, it's possible with WinRAR 3.30.
Comment from: Paul [Visitor]
It would seem that a new vulnerability with the xmlrpc code has been discovered since the most recent b2evo patch (see http://phpxmlrpc.sourceforge.net/)The xmlrpc code should be updated to version 1.2 asap (would seem to be quite vulnerable until it is). The new version of xmlrpc removes all use of the eval() function which should prevent future vulnerabilities of this type.
2005-08-31 @ 18:39
The patch for version 1.2 is available here on SourceForge.
2005-08-31 @ 19:45
If anyone has the problem of xml_rpc plese let me know.I have the latest version of 9.1.
2006-05-16 @ 15:25
Comment feed for this post
Fatal error: Call to undefined method evonet_Module::SkinEndHtmlBody() in /home/b2evonet/www/inc/_core/_misc.funcs.php on line 65