Ecosyste.ms: Advisories
An open API service providing security vulnerability metadata for many open source software ecosystems.
Security Advisories: GSA_kwCzR0hTQS1tOTV4LW0yNWMtdzltcM4AAw6k
XML-RPC for PHP allows access to local files via malicious argument to the Client::send method
Abusing the $method argument of Client::send, it was possible to force the client to access local files or connect to undesired urls instead of the intended target server's url (the one used in the Client constructor).
This weakness only affects installations where all the following conditions apply, at the same time:
- the xmlrpc Client is used, ie. not xmlrpc servers
- untrusted data (eg. data from remote users) is used as value for the
$methodargument of methodClient::send(), in conjunction with conditions which trigger usage of curl as http transport (ie. either using the https, http11 or http2 protocols, or callingClient::setUseCurl()beforehand) - either have set the Clients
return_typeproperty to 'xml', or make the resulting Response's objecthttpResponsemember, which is intended to be used for debugging purposes only, available to 3rd parties, eg. by displaying it to the end user or serializing it in some storage (note that the same data can also be accessed via magic propertyResponse::raw_data, and in the Request'shttpResponsemember)
This is most likely a very uncommon usage scenario, and as such the chances of exploitation of this issue may be low.
If it is not possible to upgrade to this release of the library at this time, a proactive security measure, to avoid the Client accessing any local file on the server which hosts it, is to add the following call to your code:
$client->setCurlOptions([CURLOPT_PROTOCOLS, CURLPROTO_HTTPS|CURLPROTO_HTTP]);
Originally reported as issue #81
Permalink: https://github.com/advisories/GHSA-m95x-m25c-w9mpJSON: https://advisories.ecosyste.ms/api/v1/advisories/GSA_kwCzR0hTQS1tOTV4LW0yNWMtdzltcM4AAw6k
Source: GitHub Advisory Database
Origin: Unspecified
Severity: Moderate
Classification: General
Published: over 1 year ago
Updated: over 1 year ago
Identifiers: GHSA-m95x-m25c-w9mp
References:
- https://github.com/gggeek/phpxmlrpc/security/advisories/GHSA-m95x-m25c-w9mp
- https://github.com/gggeek/phpxmlrpc/issues/81
- https://github.com/gggeek/phpxmlrpc/commit/cf6e605e09d001ce520bfa8e7b168cfa514e663b
- https://github.com/advisories/GHSA-m95x-m25c-w9mp
Blast Radius: 0.0
Affected Packages
packagist:phpxmlrpc/phpxmlrpc
Dependent packages: 43Dependent repositories: 124
Downloads: 3,018,488 total
Affected Version Ranges: < 4.9.0
Fixed in: 4.9.0
All affected versions: 3.0.0, 3.0.1, 3.1.0, 3.1.1, 3.1.2, 4.0.0, 4.0.1, 4.1.0, 4.1.1, 4.2.0, 4.2.1, 4.2.2, 4.3.0, 4.3.1, 4.3.2, 4.4.0, 4.4.1, 4.4.2, 4.4.3, 4.5.0, 4.5.1, 4.5.2, 4.6.0, 4.6.1, 4.7.0, 4.7.1, 4.7.2, 4.8.0, 4.8.1
All unaffected versions: 4.9.0, 4.9.1, 4.9.2, 4.9.3, 4.9.4, 4.9.5, 4.10.0, 4.10.1, 4.10.2