GHSA-q79m-c546-2g63: 
PHP vulnerability analysis and mitigation

The vulnerability (GHSA-q79m-c546-2g63) was identified in CakePHP's RequestHandlerComponent, affecting multiple versions of CakePHP from 2.0.0 through 3.0.6. The issue was disclosed on May 28, 2015, and impacted the XML payload handling functionality. The vulnerability affected multiple version ranges including CakePHP 3.0.0 to 3.0.6, and various 2.x versions from 2.0.0 to 2.6.6 (GitHub Advisory).

The vulnerability existed in the RequestHandlerComponent which leveraged Xml::build() functionality that allowed reading local files. The technical issue stemmed from the XML parsing mechanism that could be exploited through specially crafted requests. The fix involved adding a 'readFile' parameter to prevent unauthorized file access, as evidenced in the code changes (CakePHP Commit).

When exploited, this vulnerability could lead to a denial of service (DoS) attack through specially crafted XML payloads. The impact was significant enough to warrant a high severity rating (GitHub Advisory).

Two mitigation options were provided: 1) Upgrade to the patched versions (3.0.6, 2.6.6, 2.5.90, 2.4.99, 2.3.99, 2.2.99, 2.1.99, or 2.0.99), or 2) Disable XML payload parsing by adding a custom input type handler. The temporary workaround involved adding code to replace the built-in XML parsing with a no-op function (CakePHP Blog).