[wp-hackers] XML-RPC Exploit?
Roy Schestowitz
r at schestowitz.com
Wed Jul 6 06:42:25 GMT 2005
Quoting David Chait <davebytes at comcast.net>:
> Hey, a quick aside -- for users running OLD versions of WP (1.0, 1.2), is
> the xmlrpc.php a drop-in replacement, obviously with caveats related to
> updated fields in the database/table? (I assume not necessarily, especially
> bc of changed tables, but worth asking...)
>
> And, for all versions, if only using the built-in admin screens and not
> third party composition apps, can xmlrpc.php be deleted? (I looked in the
> codex, didn't find a quick answer... I assume so, but prefer to not assume!)
>
> Thanks, -d
I still run a modified version of WordPress 1.2.1 on two domains and I
noticed a
question similar to yours asked in the forums, never to get a reply, yet.
There are two files I can identify as the roots of XML-RPC:
* wp-includes/class-xmlrpc.php
* wp-includes/class-xmlrpcs.php
the latter appears to be Matt's complement to the first. I chose to do the
following:
chmod 0 wp-includes/class-xmlrpc.php wp-includes/class-xmlrpcs.php
Then, to avoid PHP warnings in your error logs, remember to disable Pingomatic
(you can still ping manually as it's painless):
Admin Panel -> Options -> Writing, then empty the 'Update Services' field.
I don't think you have an alternative as 1.2 (or earlier) is no longer
maintained. Whether the functions are flawed or not I don't know, but it's a
possible 'weapon' on the server, which I am scared of. I recently advised my
Web host to sniff around for unprotected WP 1.5 installations.
Roy
--
Roy S. Schestowitz
http://Schestowitz.com
More information about the wp-hackers
mailing list