Home Messages Index
[Date Prev][Date Next][Thread Prev][Thread Next]
Author IndexDate IndexThread Index

Re: [wp-hackers] XML-RPC Exploit?

Quoting David Chait <davebytes@xxxxxxxxxxx>:

Hey, a quick aside -- for users running OLD versions of WP (1.0, 1.2), is
the xmlrpc.php a drop-in replacement, obviously with caveats related to
updated fields in the database/table?  (I assume not necessarily, especially
bc of changed tables, but worth asking...)

And, for all versions, if only using the built-in admin screens and not
third party composition apps, can xmlrpc.php be deleted?  (I looked in the
codex, didn't find a quick answer... I assume so, but prefer to not assume!)

Thanks, -d

I still run a modified version of WordPress 1.2.1 on two domains and I noticed a
question similar to yours asked in the forums, never to get a reply, yet.


There are two files I can identify as the roots of XML-RPC:

* wp-includes/class-xmlrpc.php
* wp-includes/class-xmlrpcs.php

the latter appears to be Matt's complement to the first. I chose to do the
following:

chmod 0 wp-includes/class-xmlrpc.php wp-includes/class-xmlrpcs.php

Then, to avoid PHP warnings in your error logs, remember to disable Pingomatic
(you can still ping manually as it's painless):

Admin Panel -> Options -> Writing, then empty the 'Update Services' field.

I don't think you have an alternative as 1.2 (or earlier) is no longer
maintained. Whether the functions are flawed or not I don't know, but it's a
possible 'weapon' on the server, which I am scared of. I recently advised my
Web host to sniff around for unprotected WP 1.5 installations.

Roy

--
Roy S. Schestowitz
http://Schestowitz.com


[Date Prev][Date Next][Thread Prev][Thread Next]
Author IndexDate IndexThread Index