Joseph Scott

@rawalex –

While I cannot confirm the actual content of the hack POST command, I can assure you that the hack occurs via XMLRPC.

That statement seems to contradict itself. If you don’t know the content of the HTTP POST, then how are you sure that it happened via XML-RPC?

The unwanted content may have been added via XML-RPC, that does not mean that’s how your blog was compromised though. This is the point Otto42 was making.

@pearible –

In order to fix an issue we need have enough information to re-create, other wise we won’t be able to confirm that code changes actually fix the situation. Please send the needed details to [email protected].

@pearible –

If you have details on how this was done? If so please send them to [email protected].

If you aren’t sure that this problem got in via XML-RPC then deleting xmlrpc.php may not have addressed the issue.

@rawalex –

What we believe is happening in most cases of a 2.5.1 install having issues is that prior to the upgrade the blog was compromised. Once compromised, if the attacker was able to collect user passwords, they’ll still be able to inject content into your 2.5.1 blog. Once they have your username & password it doesn’t matter what version of WP you are using.

This would line up with what you described. If they acquired your username and password before your upgrade to 2.5.1 then they would be able to send a perfectly legit XML-RPC request to add and edit content.

So for folks who indicated that they were compromised, upgraded to 2.5.1 and cleaned up their content, they need to add another step: change your passwords.

If you do have details on what you believe to be a new issue please send that data to [email protected]. Then it can be looked at, hopefully reproduced and then fixed.

You don’t mention which method you are calling. Is it metaWeblog.newPost? The blog id value isn’t used, so sending 1 as the value for it is fine.

Can you login via wp-admin using the same username and password? If not then it is a username/password problem.

Any chance your Javascript XHR code is timing out?

Does the metaWeblog.newMediaObject return any data when this happens? Normally you’d get an XML-RPC response with file, URL and type data.

Sure, it’s entirely possible for a theme to get in there and mess things up, although that isn’t usually the most likely culprit.

If there is a functions.php file in your theme, that is most likely where the problem would be. Could also be in a language translation file I suppose.

That response looks ok. Are you sure there was nothing else in the HTTP response? A byte order marker (BOM) or anything else?

At this point I’d try the WLW forums and see if they can provide any clues. I’ve worked with some of the WLW team members, so if they have any questions on the WordPress side of things they know how to reach me.

Mostly likely something is injecting additional characters that is messing up the XML formatting.

Plugins would be my first suspect, if you disable all of your plugins, does WLW work normally? If so, enable each plugin one and at time until WLW breaks again, then you’ll know which plugin is causing the problem.

You can add/edit tags on a post via the mt_keywords field in the metaWeblog.newPost and metaWeblog.editPost XML-RPC methods.

WordPress has a page editing API. One client application that I can confirm makes use of is is Windows Live Writer.

I tried this with the CVS version from tonight (19 May 2004, 10:30pm) and was not able to reproduce it.