Hacker Newsnew | past | comments | ask | show | jobs | submitlogin

I wonder how many people are even using the XML RPC module. It doesn't get loaded by default.

Edit: 468 according to Shodan. I'm wondering if senddirectorydocument gets used at all by the XML RPC module.



Following up on this, I was unable to get it to do anything.

    curl --show-error --get --request GET --user freeswitch:works "http://localhost:8080/${SIXTEEN_THOUSAND_RANDOM_CHARACTERS}"
Any ideas on triggering it? I imagine if we get a PoC that at least causes a segfault or whatever, they will be more likely to do a security release.


I maybe wrong, but I think you need to enable the module for API access.


Yeah, it's enabled with `load mod_xml_rpc`. Listening on 8080.

    $ ./test3 # see above
    <HTML><HEAD><TITLE>Error 408</TITLE></HEAD><BODY><H1>Error 408</H1><P>Problem getting the request header</P><p><HR><b><i><a href="http://xmlrpc-c.sourceforge.net">ABYSS Web Server for XML-RPC For C/C++</a></i></b> version 1.26.0<br></p></BODY></HTML>
hmmm




Guidelines | FAQ | Lists | API | Security | Legal | Apply to YC | Contact

Search: