[wp-hackers] XML-RPC Exploit?
Dougal Campbell
dougal at gunters.org
Wed Jul 6 14:03:45 GMT 2005
David Chait wrote:
> Hey, a quick aside -- for users running OLD versions of WP (1.0, 1.2),
> is the xmlrpc.php a drop-in replacement, obviously with caveats related
> to updated fields in the database/table? (I assume not necessarily,
> especially bc of changed tables, but worth asking...)
I don't know for sure, but I doubt that it would work unaltered. I think
that between 1.2 and 1.5, several functions related to xmlrpc.php were
moved/modified. Plus we switched from the Useful, Inc. xmlrpc libraries
to Simon Wilison's IXR library (which should be pretty transparent as
far as the WP API goes, but...)
> And, for all versions, if only using the built-in admin screens and not
> third party composition apps, can xmlrpc.php be deleted? (I looked in
> the codex, didn't find a quick answer... I assume so, but prefer to not
> assume!)
As long as you don't need incoming or outgoing pingbacks, and if you use
the web interface for managing your content, then you can safely delete
xmlrpc.php and the associated libraries (class-xmlrpc.php and
class-xmlrpcs.php in pre-1.5 versions, class-IXR.php in ver 1.5+). You
probably just need to make sure that you disable the ping-related
options in admin.
--
Dougal Campbell <dougal at gunters.org>
http://dougal.gunters.org/
More information about the wp-hackers
mailing list