By Kevin Yank

Vulnerability affects PHP XML-RPC library

By Kevin Yank

Having just sent our upcoming book No Nonsense XML Web Development With PHP to print, I’m breathing a sigh of relief today as a widely-publicized security vulnerability has been found in a library we almost used in the book but didn’t.

PHP has a standard library for building and consuming Web Services using the XML-RPC communication protocol. That library is the one that is used by the examples in the book, and is not affected by the reported vulnerability.

Because this standard library is not enabled in a default PHP installation, many open source projects that require XML-RPC functionality have chosen to use an alternative library written entirely in PHP, which will run on most PHP configurations. Such alternatives include the PEAR XML-RPC module and the XML-RPC for PHP project. Both of these libraries are affected by the vulnerability.

Updated versions of these libraries are now available for download, and affected open source projects are quickly releasing advisories and updated versions to address the problem.

  • Nico Edtinger

    May I take the quote out of the article “Eval i dead” from February (!): Rasmus: “If eval() is the answer, you’re almost certainly asking the wrong question.”

    It’s here:

    So we already knew it before. And still they thought it would be easier to use eval() to decode. BTW both libs seem to come from the same code.

    The solution is simple. Don’t use code that uses eval und code you don’t know exactly. If a string is generated from user input you can never know what the string’ll look like. Thus no one should use both libs as long as they only code around the problem instead of finding a replacment for the eval()


  • The new book sounds exiting!! When will it be released and are you able to say yet what topics its going to cover? I’m keen to start learning about pratical applications of XML.

  • Clenard

    Looking forward to this new book!

  • Gaetano Giunta

    May I only point out that the code in question dates circa 1999, long before the php core team had even dreamed about ‘register_blobals=BAD’.

    Everybody is tighter on security as of 2005.

    The only strange thing is nobody had ever found the breach before, given the wide exposure of the libs…

Get the latest in Front-end, once a week, for free.