Skip to content

XML-RPC for PHP allows access to local files via malicious argument to the Client::send method

Moderate severity GitHub Reviewed Published Jan 11, 2023 in gggeek/phpxmlrpc

Package

composer phpxmlrpc/phpxmlrpc (Composer)

Affected versions

< 4.9.0

Patched versions

4.9.0

Description

Abusing the $method argument of Client::send, it was possible to force the client to access local files or connect to undesired urls instead of the intended target server's url (the one used in the Client constructor).

This weakness only affects installations where all the following conditions apply, at the same time:

  • the xmlrpc Client is used, ie. not xmlrpc servers
  • untrusted data (eg. data from remote users) is used as value for the $method argument of method Client::send(), in conjunction with conditions which trigger usage of curl as http transport (ie. either using the https, http11 or http2 protocols, or calling Client::setUseCurl() beforehand)
  • either have set the Clients return_type property to 'xml', or make the resulting Response's object httpResponse member, which is intended to be used for debugging purposes only, available to 3rd parties, eg. by displaying it to the end user or serializing it in some storage (note that the same data can also be accessed via magic property Response::raw_data, and in the Request's httpResponse member)

This is most likely a very uncommon usage scenario, and as such the chances of exploitation of this issue may be low.

If it is not possible to upgrade to this release of the library at this time, a proactive security measure, to avoid the Client accessing any local file on the server which hosts it, is to add the following call to your code:

  $client->setCurlOptions([CURLOPT_PROTOCOLS, CURLPROTO_HTTPS|CURLPROTO_HTTP]);

Originally reported as issue #81

References

@gggeek gggeek published to gggeek/phpxmlrpc Jan 11, 2023
Published to the GitHub Advisory Database Jan 11, 2023
Reviewed Jan 11, 2023

Severity

Moderate

Weaknesses

No CWEs

CVE ID

No known CVE

GHSA ID

GHSA-m95x-m25c-w9mp

Source code

Credits

Loading Checking history
See something to contribute? Suggest improvements for this vulnerability.