Having just sent our upcoming book No Nonsense XML Web Development With PHP to print, I’m breathing a sigh of relief today as a widely-publicized security vulnerability has been found in a library we almost used in the book but didn’t.
PHP has a standard library for building and consuming Web Services using the XML-RPC communication protocol. That library is the one that is used by the examples in the book, and is not affected by the reported vulnerability.
Because this standard library is not enabled in a default PHP installation, many open source projects that require XML-RPC functionality have chosen to use an alternative library written entirely in PHP, which will run on most PHP configurations. Such alternatives include the PEAR XML-RPC module and the XML-RPC for PHP project. Both of these libraries are affected by the vulnerability.
Updated versions of these libraries are now available for download, and affected open source projects are quickly releasing advisories and updated versions to address the problem.