A recent worm, Lupper, is traversing the Internet and exploiting computers that run the XML-RPC package for PHP. The official XML-RPC for PHP homepage states that the package’s abuse of the PHP eval function created a security hole that allowed remote execution of arbitrary code. This means that any systems that run PHP and a faulty XML-RPC for PHP installation can potentially be affected.
Unfortunately, articles such as XML-RPC Threatens Linux, Unix Systems suggest that the worm attacks “web applications that run on Linux and Unix systems.” The example article does not mention that worms, which exploit the XML-RPC for PHP fault, can potentially affect other operating systems as well. System administrators who are responsible for such systems should not overlook this security hole because of its incorrect association with another operating system.
A simplified abuse of the eval function is presented below:
$arbitraryConsoleCommand='dir'; // or format c:
$functionCallString="system($arbitraryConsoleCommand);";
eval( $functionCallString );
A stable version of XML-RPC for PHP that is apparently immune to this exploit has been available since September 2005. The security hole was discovered in August, and worms that exploit this hole surfaced recently as did its publicity. The security hole was likely discovered through third-party code inspection, and an update to this piece of software was quickly made available.
A post on slashdot.com points out an outline for managing geeks by Eric Schmidt. If Schmidt still carries these management beliefs, then Google’s success at wooing technologists should be expected. This guideline suggests that any tech company that intends to benefit from innovation requires in-house developers. He also restates the widely accepted software engineering observation that bigger development teams result in less productivity overall. Schmidt is direct in his analysis of geeks, and he prescribes sound practices to take advantage of their characteristics for the maximization of their productivity and manageability.
An item on eweek.com references a supposed Microsoft developer’s blog entry, which conveys frustration with the decision to ship a product that is not ready for release. This developer’s sentiments are definitely shared among many developers in other software development pursuits. The developer’s attachment to the product and the dedication to minimize its faults is admirable, but due to market pressure, certain companies are forced into ignoring requests for delays that are intended to fix possible showstoppers.
From a theoretical standpoint, the development process should be iterative and include some form of testing and risk management. Microsoft developers cannot be blamed for its faulty software, because the company as a mature development house certainly has such quality controls in its software development lifecycle. Implementing good software and coordinating teams responsible for their components require time that Microsoft did not have. In a less competitive world, developers may possibly use as much time as needed to deliver robust applications, however, Microsoft is battling rival companies on several fronts in the computing industry’s hypercompetitive landscape. MySQL, an open-source database from MySQL AB, was released recently and has matured to a level that makes it competitive to Oracle and SQL Server. Microsoft needed to make SQL Server and the development tools that support it available before companies are able to plan and implement a transition to MySQL. Blame for the release of faulty SQL Server 2005 and Visual Studio implementations, if present, should be placed on the people who are responsible for Microsoft’s corporate strategy.
This article is a great mini-howto on getting Xen deployed quickly on Fedora Core 3. Testing changes in server configuration is one useful application of virtual machines like those provided by Xen. Unlike VMWare, the operating systems on the host and guest machines must support or be modified to support the Xen architecture. In other words, existing operating systems without support for the Xen architecture cannot be used on guest machines under Xen. This seems to be the result of a decision to sacrifice true virtualization for increased performance, and the results from performance comparisons of applications running on guest machines and those running in native environments are very exciting.
According to this article, a system administrator at PricewaterhouseCoopers adopted OpenBSD to resolve network computing problems. PricewaterhouseCoopers is allegedly a Windows shop, but fulfilling business needs without spending more money forced the system administrator to adopt open source solutions. “My experience is that if something has to be done, just do it – don’t ask! They will thank you later,” Mark Uemura says.