All releases up to and including version 1.0 of XML-RPC for PHP have a
serious security vulnerability, allowing hostile remote clients or
servers to execute arbitrary code on your machine.
It is of critical importance that if you run an XML-RPC server or client
using the XML-RPC for PHP code that you update immediately. Both client
and server installations are affected by this flaw. The file you need
to replace is "xmlrpc.inc"
New code, version 1.01, can be downloaded from SourceForge:
I am indebted to Dan Libby for informing me of this security flaw.
May I remind users that, as licensed, the code comes with absolutely no
warranty at all. If you intend to use this code the responsibility for
auditing it rests with you.
I will disclose full details of the exploit on the project web site
soon, after asking Dan if he's amenable to his report being published.