CMS frameworks like WordPress, Drupal generally use XML rpc where they require making procedures calls between disparate environments.
Xmlrpc is a set of implementations that allow software running on the disparate operating system in different environments to make procedure calls over the internet. It uses HTTP to transport the data and XML as the encoding.
XML-RPC is a remote procedure call (RPC) protocol which uses XML to encode its calls and HTTP as a transport mechanism. “XML-RPC” also refers generically to the use of XML for a remote procedure call, independently of the specific protocol. XML-RPC for PHP is affected by a remote code-injection vulnerability. An attacker may exploit this issue to execute arbitrary commands or code in the context of the web server. This may facilitate various attacks, including unauthorized remote access.
Find this vulnerability on your site with Free Website Security Scan.
In XML-RPC, a HTTP request is sent to a server implanting the protocol. A client in the scenario is a software wanting to call a single method of the remote system. Multiple input parameters can be passed to the remote method, one return value is returned. Nesting of the parameter types can be used to transport a larger request structure. Therefore, XML-RPC can be used to transport objects or structures both as input and as output parameters.
The main difference in REST and XML-RPC protocol is, where resource representations (documents) are transferred, XML-RPC is designed to call methods.
Vulnerability in XML-RPC allows an attacker to make a system call which can be dangerous for the application and servers. Also, an attacker can use this method to craft a successful DOS attack against the application. There are various exploits in the market are publically available, which can be used by an attacker to leverage the presence of XML-RPC on the application server.
Crawl the FULL web application to see whether XMP-RPC is being used or not. Once you get the URL to try to access the URL in the browser.
See the burp response for the same below
After detecting that XML-RPC is enabled on the server, an attacker can craft an XML request to list down all the methods that are enabled on the server as shown below. Replace Get with a POST request and add method call in the request.
As observed in the screenshot that many dangerous methods like file.delete, node.delete, file.create etc, are allowed on the server-side. An attacker can use this method to perform any malicious activity. There are exploits available on exploited for remote code execution.
AppTrana reports this remote code execution with scanning. You can request a custom rule and POC for the vulnerability through our portal. The web application firewall will mitigate attacks by adding the following to .htaccess -file
Order allow, deny
Deny from all
Try our Free for Life Website Security Scan to find out such issues.
Founder & Chief Marketing Officer, Indusface
Venky has played multiple roles within Indusface for the past 6 years. He was instrumental in building the product/service and technology team from scratch and grew it from ideation to getting initial customers with a proven/validated business model poised for scale. He has proven experience (10+ years) in the security industry and has held various mgmt/leadership roles in Product Development, Professional Services, and Sales during his time at Entrust Data card.