Having just sent our upcoming book No Nonsense XML Web Development With PHP to print, I’m breathing a sigh of relief today as a widely-publicized security vulnerability has been found in a library we almost used in the book but didn’t.
PHP has a standard library for building and consuming Web Services using the XML-RPC communication protocol. That library is the one that is used by the examples in the book, and is not affected by the reported vulnerability.
Because this standard library is not enabled in a default PHP installation, many open source projects that require XML-RPC functionality have chosen to use an alternative library written entirely in PHP, which will run on most PHP configurations. Such alternatives include the PEAR XML-RPC module and the XML-RPC for PHP project. Both of these libraries are affected by the vulnerability.
Updated versions of these libraries are now available for download, and affected open source projects are quickly releasing advisories and updated versions to address the problem.
Kevin YankKevin Yank is an accomplished web developer, speaker, trainer and author of Build Your Own Database Driven Website Using PHP & MySQL and Co-Author of Simply JavaScript and Everything You Know About CSS is Wrong! Kevin loves to share his wealth of knowledge and it didn't stop at books, he's also the course instructor to 3 online courses in web development. Currently Kevin is the Director of Front End Engineering at Culture Amp.
