[wp-hackers] Exploit, or no?
ryan at boren.nu
Wed Jun 29 00:24:22 GMT 2005
On Tue, 2005-06-28 at 22:52 +0000, Ryan Boren wrote:
> > And to Ryan/Matt, if you would like another set of eyes to review code
> > for that exploit, I'll be available today and tomorrow.
> We went ahead and commited for 1.5 and 1.6. Please review and test.
> The problem is with XMLRPC args not being escaped because they come in
> through raw post data, thus avoiding magic quoting.
> If you want to try it out, you can svn update from the 1.5 branch or
> download the two updated files. Just drop them on top of 126.96.36.199.
When I backported this from 1.6 I left some 1.6-isms in. Use this new
version of xmlrpc.php.
Please test the hell out of XMLRPC. Post, edit, etc. from your favorite
client and make sure I didn't break anything. Test some incoming pings
More information about the wp-hackers