Attacks Target XML-RPC Flaws in PHP Blogging Apps

Hackers are launching attacks on popular PHP-based blogging, wiki and content management program that failed to patch a serious security hole discovered in July. The attacks exploit flaws in the way PHP libraries handle XML-RPC commands, and appear to be targeting installations of WordPress and Drupal.

If left unpatched, an attacker could compromise a web server through vulnerable programs including WordPress, Drupal, PostNuke, Serendipity, phpAdsNew and phpWiki, among others. These projects all issued fixes six months ago, as did the authors of the affected PHP libraries.

But as is often the case, some web servers and individual blogging applications remain unpatched. The Internet Storm Center has been receiving reports of attacks that install a remote access trojan through a weakness in the XML-RPC function in some PHP libraries, which allow applications to exchange XML data using remote procedure calls (RPC). XML-RPC has many uses in web applications, including "ping" update notifications for RSS feeds. The affected libraries, including PHPXMLRPC and Pear XML-RPC, are included in many interactive applications written in PHP.

The flaws may be of particular interest to phishing operations, which have recently been installing spoof pages through security holes in bulletin boards and content management apps. Updated copies of the affected PHP libraries are now available, and immediate upgrades are recommended.