This guys is 100 percent right on. When redcode and the other variant IIS worms hit, I saw hundreds of attempts in my logs every hour. So far I've seen two xmlrpc exploit attempts in my logs from two seperate ips in the past x number of days. It's more like hype then anything else, finally linux is just as vulnerable as windows... only it isn't.

This is simply one badly written xmlrpc.php script that got alot of distribution and poor auditing. Unsanitized input being passed right to eval() yeah that's dumb on any platform. The vast majority of php installs dont have xmlrpc.php or the variants of it.

The problem is most of the freely available poorly written webapp code out there is available for php, asp has just as many xss, sql injection problems but few people seem to be releasing free asp code, and the ones that do are just as vulnerable to the same coding mistakes php falls down too. Bottom line, sanitizing user input is easy and you should do it. That and run php in safemode.

Also if /tmp had been mounted noexec (which everyone does out of good security pratices yes?) this wouldn't have even been an issue.


[ reply ]

Link to this comment: http://www.securityfocus.com/comments/columns/368/32647#32647