An issue has been reported to the CMS/Blog systems Drupal and Wordpress which allows for a Denial of Service (DOS) through invalid XML injection to the XML-RPC service.
Serendipity has uncoupled the XML-RPC possibilities into an external plugin a long time ago, so an update of the core Serendipity version is luckily not available. Only users who have installed serendipity_event_xmlrpc (through Spartacus, for example) are are actually also affected by this issue, since it uses default PHP XML parsing facilities.
We have applied the same patch to the parsing routines to detect this invalid XML (see Drupal commit) to version 1.53 of the mentioned plugin. Users who have enabled this plugins should either update or remove this plugin to prevent possible DOS attacks to their servers. This version will be available in Spartacus within 24 hours, or can be downloaded manually through github: Source Link.
If the update generates problems with your valid XML-RPC calls, please report them either on our forums or in the Serendipity issue tracker on GitHub. Thanks a lot also to Ian for bringing this issue to our attention, so that we were able to provide a quick fix as well.
- No Trackbacks