wp-keitai-mail and the PHPXMLRPC vulnerability

I use Dr. Dave’s wp-keitai-mail script for my moblog postings which works great; however, it depends on some older XMLRPC files from WordPress 1.2 which unfortunately are vulnerable to remote code execution that has recently been exploited by a worm making its way around the Internet. It looks like Dr. Dave has lost interest in updating it and trying to rewrite it to use the new WP 1.5 XMLRPC libraries is non-trivial.

Fortunately the risk can be mitigated pretty easy with some Apache .htacess directives:

order deny,allow
deny from all
allow from localhost

order deny,allow
deny from all
allow from localhost

Placing that in the wp-includes directory keeps the older XMLRPC files from being accessible (and exploitable) from the Internet yet still allows them to be used by wp-keitai-mail. Tons easier than finding a new moblogging solution :)

2 thoughts on “wp-keitai-mail and the PHPXMLRPC vulnerability

  1. dr Dave

    Hmn, I need to check to give you a 100% on that, but AFAIK, it can be made to run fine with the 1.5 XMLRPC library. I am myself running an unaltered 1.5.3 with it, and it works absolutely fine… I think I had to update a few lines. I may not have released it on the public archive (a few too many things to take care of these days).

    Contact me by email and I’ll send you a copy of the code I got so you can give it a try.

    Cheers

Leave a Reply

Your email address will not be published. Required fields are marked *

You may use these HTML tags and attributes: <a href="" title=""> <abbr title=""> <acronym title=""> <b> <blockquote cite=""> <cite> <code> <del datetime=""> <em> <i> <q cite=""> <strike> <strong>