GHSA-m95x-m25c-w9mp: 
PHP vulnerability analysis and mitigation

The vulnerability (GHSA-m95x-m25c-w9mp) affects the XML-RPC for PHP library, specifically related to the Client::send method. Discovered and reported by TatianaGarcia94 in March 2021, this vulnerability was patched in version 4.9.0, released in January 2023. The issue affects all versions prior to 4.9.0 of the phpxmlrpc/phpxmlrpc Composer package (GitHub Advisory).

The vulnerability allows attackers to abuse the $method argument of Client::send to force the client to access local files or connect to undesired URLs instead of the intended target server's URL. This occurs when using curl as the HTTP transport mechanism (via https, http11, or http2 protocols, or when Client::setUseCurl() is called). The issue is triggered when either the Client's return_type property is set to 'xml' or when the Response object's httpResponse member (intended for debugging) is exposed to third parties (GitHub Advisory).

When successfully exploited, the vulnerability enables unauthorized access to local files on the server hosting the XML-RPC client and allows connections to unintended URLs. However, the impact is considered low due to the specific conditions required for exploitation (GitHub Advisory).

For users unable to upgrade to version 4.9.0, a temporary mitigation is available by adding the following code: $client->setCurlOptions([CURLOPT_PROTOCOLS, CURLPROTO_HTTPS|CURLPROTO_HTTP]);. This prevents the Client from accessing local files on the server. The permanent fix is to upgrade to version 4.9.0 or later (GitHub Advisory).