OLD To Do List

Recent Topics

1 Jul 05, 2005 15:50    

A critical security issue has been discovered in the XML-RPC for PHP that most applications use, including b2evolution.

It is highly recommended you fix you installation by downloading this patch file and unzipping it into you /blogs/b2evocore/ folder. This should overwrite the two following files:

  • _functions_xmlrpc.php
  • _functions_xmlrpcs.php

UPDATE: The authors of the XML-RPC library have released a new version. The previous one may not be sufficiently secure. Thus there is a new patch file available for b2evolution. It must be installed in the exact same manner.

This patch has been tested on the latest 0.9.0.12 "Amsterdam" release but is believed to work on all 0.9.0.x versions.

The patch will be included in future releases.

2 ben Jul 06, 2005 13:49

ben

Thanks :)
i was wondering, when will you update the “stats” engine + Banning function of B2evolution.

I explain, when you have thousands of spam referers, it would be easier to have ” des cases a cocher” to ban referers instead of banning them 1 after 1. you simply could select all you want, and ban them in few clicks. that would be a very great improvement for sure :)

Respects,

Ben b.

3 André Mondri Jul 13, 2005 20:26

André Mondri

It is impossible to extract the Patch Zipfile with 7-zip and PowerArchivier on Windows XP SP2.

5 Paul Aug 31, 2005 18:39

Paul

It would seem that a new vulnerability with the xmlrpc code has been discovered since the most recent b2evo patch (see http://phpxmlrpc.sourceforge.net/)

The xmlrpc code should be updated to version 1.2 asap (would seem to be quite vulnerable until it is). The new version of xmlrpc removes all use of the eval() function which should prevent future vulnerabilities of this type.

7 mallika May 16, 2006 15:25

mallika

If anyone has the problem of xml_rpc plese let me know.I have the latest version of 9.1.