A critical security issue has been discovered in the XML-RPC for PHP that most applications use, including b2evolution.
It is highly recommended you fix you installation by downloading this
patch file and unzipping it into you /blogs/b2evocore/ folder. This should overwrite the two following files:
This patch has been tested on the latest 0.9.0.12 "Amsterdam" release but is believed to work on all 0.9.0.x versions.
The patch will be included in future releases.
i was wondering, when will you update the “stats” engine + Banning function of B2evolution.
I explain, when you have thousands of spam referers, it would be easier to have ” des cases a cocher” to ban referers instead of banning them 1 after 1. you simply could select all you want, and ban them in few clicks. that would be a very great improvement for sure :)
It is impossible to extract the Patch Zipfile with 7-zip and PowerArchivier on Windows XP SP2.
Andre, it’s possible with WinRAR 3.30.
Comment from: Paul
It would seem that a new vulnerability with the xmlrpc code has been discovered since the most recent b2evo patch (see http://phpxmlrpc.sourceforge.net/)
The xmlrpc code should be updated to version 1.2 asap (would seem to be quite vulnerable until it is). The new version of xmlrpc removes all use of the eval() function which should prevent future vulnerabilities of this type.
The patch for version 1.2 is available here on SourceForge.
If anyone has the problem of xml_rpc plese let me know.I have the latest version of 9.1.