Popular free and open source blogging, wiki and content management programs face a security threat in the way PHP programs handle XML commands.

According to James Bercegay, researcher at GulfTech Security Research who found the flaws, an attacker can compromise a Web server through a security hole in the XML-RPC function.

In two PHP libraries, PHPXMLRPC and Pear XML-RPC, the flaw allows applications to exchange XML using remote procedure calls and fails to check incoming data for malicious commands.

Bercagay said the level of the threat was -high risk” and affects popular PHP programs such as PostNuke, Drupal, b2evolution, TikiWiki and others.

The PHP libraries have been updated, and are available for download. For developers who cannot upgrade to the new libraries, disabling the XML-RPC functions has been a recommended solution.

PEAR XML_RPC 1.3.1 upgrade can be found here. The PHPXMLRPC upgrade can be downloaded here.