CMS frameworks like WordPress, Drupal generally use XML rpc where they require making procedures calls between disparate environments.

Xmlrpc is a set of implementations that allow software running on the disparate operating system in different environments to make procedure calls over the internet. It uses HTTP to transport the data and XML as the encoding.

XML-RPC is a remote procedure call (RPC) protocol which uses XML to encode its calls and HTTP as a transport mechanism. “XML-RPC” also refers generically to the use of XML for a remote procedure call, independently of the specific protocol. XML-RPC for PHP is affected by a remote code-injection vulnerability. An attacker may exploit this issue to execute arbitrary commands or code in the context of the web server. This may facilitate various attacks, including unauthorized remote access.

Find this vulnerability on your site with Free Website Security Scan.

Working of XML-RPC:

In XML-RPC, a HTTP request is sent to a server implanting the protocol. A client in the scenario is a software wanting to call a single method of the remote system. Multiple input parameters can be passed to the remote method, one return value is returned. Nesting of the parameter types can be used to transport a larger request structure. Therefore, XML-RPC can be used to transport objects or structures both as input and as output parameters.

The main difference in REST and XML-RPC protocol is, where resource representations (documents) are transferred, XML-RPC is designed to call methods.

Vulnerability in XML-RPC allows an attacker to make a system call which can be dangerous for the application and servers. Also, an attacker can use this method to craft a successful DOS attack against the application. There are various exploits in the market are publically available, which can be used by an attacker to leverage the presence of XML-RPC on the application server.

Detection of XML-RPC:

Crawl the FULL web application to see whether XMP-RPC is being used or not. Once you get the URL to try to access the URL in the browser.

XML RPC Detection

See the burp response for the same below

After detecting that XML-RPC is enabled on the server, an attacker can craft an XML request to list down all the methods that are enabled on the server as shown below. Replace Get with POST request and add method call in the request.

As observed in the screenshot that many dangerous methods like file.delete, node.delete, file.create etc, are allowed on the server side. An attacker can use this method to perform any malicious activity. There are exploits available on exploitDB for remote code execution.

Mitigation with AppTrana:

AppTrana reports this remote code execution with scanning. You can request a custom rule and POC for the vulnerability through our portal. The web application firewall will mitigate attacks by adding the following to .htaccess -file

<Files xmlrpc.php>

Order allow, deny

Deny from all

</Files>

Try our Free for Life Website Security Scan to find out such issues.