Please see this thread about an xml-rpc exploit in php.

http://news.netcraft.com/archives/2005/07/04/php_blogging_apps_vulnerable_to_xmlrpc_exploits.ht ml

You are advised to upgrade pear xmlrpc immediately with


pear clear-cache
pear upgrade XML_RPC


Please note that if your app doesn't use the pear xmlrpc implementation, or has xmlrpc code embedded in the application, you may have to upgrade/patch your app directly. If you are unsure, the safest thing to do is disable this feature by finding the files named 'xmlrpc.php' under your document root and renaming them or changing permissions to disable them. Common examples would include

/usr/local/cpanel/base/horde/lib/Horde/RPC/xmlrpc.php
Drupal/xmlrpc.php
Post-Nuke/xmlrpc.php
TikiWiki/xmlrpc.php
WordPress/xmlrpc.php
Xoops/xmlrpc.php
b2evolution/xmlsrv/xmlrpc.php

Wordpress users running a version older than 1.5.1.3 can see how to fix or upgrade here:

http://wordpress.org/support/topic/38263

Further discussion can be found in this WHT thread (http://www.webhostingtalk.com/showthread.php?s=&threadid=421520)

Please contact support if you need any help upgrading/patching. We may not be able to help you with all apps, but can make sure php and pear are up to date for you.

All running VE's have had Pear XML_RPC upgraded to latest version.

Over the next few hours, we'll be running a script to check for vulnerable phpxmlrpc libraries, and will be automatically sending notifications. After you get your notification, submit a ticket and we'll be happy to roll out the updated phpxmlrpc for you.

Watch this space for more details.

thanks a lot for the info.
I read that today on my email ( netcraft is great )... but wasn't sure if i could be concerned...

I upgraded my xml_rpc ...

Service is great here... and i hopes it stays like that for a very long time.

also, could it be good to update them all ?
pear list-upgrades

Should we update php too since xml rpc can be used by php too right ?

Yes you will want to update php, but were still looking into the best approach for all customers so we can not only do these quickly/properly ourselves, but advise you as well. We hope to have this together tomorrow, at which time we'll send out targeted emails showing you what php application installations you have that are vulnerable, and how to secure them.

I can't see any harm in updating all of pear, but ymmv.

charles

We have just sent an email to all customers that were vulnerable due to this exploit, outlining the implications of the exploit and what we did to resolve the issue. The email looked something like the following

Hello Valued Customer,

Recently a PHP XML-RPC exploit was announced. We felt this was a big enough threat that we proactively performed the recommended fix for the core PEAR implementation by running the following on your VPS.

pear upgrade XML_RPC

In addition, a security audit revealed your VPS was exposed to vulnerabilites in php applications using XML-RPC that are using their own copies of the xmlrpc code. We have updated these files with a patched version as well. Both changes made are safe and were tested before being made.

Your account details are as follows:

Server ID: DVE12345
Hostname: ns1.somedomain.com
Vulnerability: PHP XML-RPC

The following files were replaced with the latest version:

/home/user1/fantastico_files/Drupal/includes/xmlrpcs.inc
/home/user1/fantastico_files/Post-Nuke/modules/xmlrpc/lib/xmlrpcs.inc
/home/user2/fantastico_files/TikiWiki/lib/xmlrpcs.inc


Two XML-RPC related files are shipped with quite a few web apps; libxml.inc and libxmls.inc; these contained a vulnerability whereby unsanitized data is passed directly into an eval() call meaning that you can escape into the eval() call by using single quotes; this allowed arbitrary execution of php code.

We have determined that there is no need to recompile PHP, nor upgrade these applications, but keeping the applications current is always recommended.

** cpanel users also saw the below**
However, since you use cpanel and Fantastico, please update fantastico to ensure future installs are secure. To do this, login as the Fantastico admin user and click update.
** cpanel users also saw the above**

Regards,
PowerVPS Support
https://www.powervps.com/support/
http://forums.deftechgroup.com