The reason for the WordPress update we covered last week has been disclosed by Netcraft: apparently PHP blogging tools, CMS packages and related packages can be exploited through a security hole in the way they handle XML commands.
For the more technical minded the flaw affects the XML-RPC function, which has many uses in web applications, including “ping” update notifications for RSS feeds. PHP libraries that allow applications to exchange XML data using remote procedure calls(RPC) fail to fully check incoming data for malicious commands. The affected libraries, including PHPXMLRPC and Pear XML-RPC, are included in many interactive applications written in PHP. The net result is that these apps are vulnerable to a very high risk remote php code execution vulnerability that may allow for an attacker to compromise a vulnerable webserver … By creating an XML file that uses single quotes to escape into the eval() call an attacker can easily execute php code on the target server.
For the rest of us, if you are using packages such as PostNuke, WordPress, Drupal, Serendipity, phpAdsNew, phpWiki and phpMyFAQ to name but a few, seek out an upgradge ASAP because this is bad people, bad, even if I actually have no real idea what this all means.
