Advisories for Composer/Phpxmlrpc/Phpxmlrpc package

2023

XML-RPC for PHP allows access to local files via malicious argument to the Client::send method

Abusing the $method argument of Client::send, it was possible to force the client to access local files or connect to undesired urls instead of the intended target server's url (the one used in the Client constructor). This weakness only affects installations where all the following conditions apply, at the same time: the xmlrpc Client is used, ie. not xmlrpc servers untrusted data (eg. data from remote users) is used as …

Improper Neutralization of Special Elements used in an OS Command ('OS Command Injection')

Improper Neutralization of Special Elements used in an OS Command ('OS Command Injection') in phpxmlrpc/phpxmlrpc.

Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')

Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') in phpxmlrpc/phpxmlrpc.

2022

phpxmlrpc vulnerable to argument injection

phpxmlrpc vulnerable to argument injection via local file access in Client:send via manipulation of $protocol argument.

code injection in phpxmlrpc/phpxmlrpc

code injection in Wrapper::buildClientWrapperCode via manipulation of the $client argument. It was possible to force the client to access local files or connect to undesired urls instead of the intended target server's url.