PHP Blogging Apps Security Hole and Input validation

Recently, a security hole was found in all major PHP Blogging apps in their XML-RPC apis. The XML-RPC flaw was discovered by James Bercegay of GulfTech Security Research. Bercegay found that the libraries are “vulnerable to a very high risk remote php code execution vulnerability that may allow for an attacker to compromise a vulnerable webserver … By creating an XML file that uses single quotes to escape into the eval() call an attacker can easily execute php code on the target server.” Detailed news here.

Out of curiousity, I looked at the code changes that fixed this flaw and the culprit was the same: programmer’s old habit of not doing an input validation for the function parameters. By far, not doing input validation is the number one culprit for all the security holes in the software applications. I remember that during the first Security push that Microsoft went through some 4 years back, we were made to go through every single line of the code to make sure that we don’t miss any such obvious things and special emphasis was laid on the input validation. Carrying that knowledge and experience, software-security is something that is built-in our software development process at our company, Tekriti. We in our company, Tekriti, believe and follow the fact that security is an integral part of software development life-cycle and not added to the code as an after-thought.

BTW, we did patch Ourmedia.org and my blog-site with those fixes too!