-as of [24 AUGUST 2024]–
.
.
.
-[XML-RPC] is a ‘remote procedure’ call (RPC) protocol which uses XML to encode its [calls / HTTP] as a [transport mechanism]-
.
history
The XML-RPC protocol was created in 1998 by Dave Winer of UserLand Software and Microsoft, with Microsoft seeing the protocol as an essential part of scaling up its efforts in business-to-business e-commerce
.
As new functionality was introduced, the standard evolved into what is now SOAP.[4]
UserLand supported XML-RPC from version 5.1 of its Frontier web content management system,[4] released in June 1998
XML-RPC’s idea of a human-readable-and-writable, script-parsable standard for HTTP-based requests and responses has also been implemented in competing specifications such as Allaire’s Web Distributed Data Exchange (WDDX) and webMethod’s Web Interface Definition Language (WIDL).[6]
Prior art wrapping COM, CORBA, and Java RMI objects in XML syntax and transporting them via HTTP also existed in DataChannel’s WebBroker technology.[7][8]
The generic use of XML for remote procedure call (RPC) was patented by Phillip Merrick, Stewart Allen, and Joseph Lapp in April 2006, claiming benefit to a provisional application filed in March 1998.
The patent was assigned to webMethods, located in Fairfax, VA. The patent expired on 23 March 2019[9]
.
.
Usage
In XML-RPC, a client performs an RPC by sending an HTTP request to a server that implements XML-RPC and receives the HTTP response.
A call can have multiple parameters and one result.
The protocol defines a few data types for the parameters and result.
Some of these data types are complex, i.e. nested.
For example, you can have a parameter that is an array of five integers.
The parameters/result structure and the set of data types are meant to mirror those used in common programming languages.
Identification of clients for authorization purposes can be achieved using popular HTTP security methods.
Basic access authentication can be used for identification and authentication.
In comparison to RESTful protocols, where resource representations (documents) are transferred, XML-RPC is designed to call methods.
The practical difference is just that XML-RPC is much more structured, which means common library code can be used to implement clients and servers and there is less design and documentation work for a specific application protocol.
One salient technical difference between typical RESTful protocols and XML-RPC is that the RESTful protocol uses the HTTP URI for parameter information whereas with XML-RPC, the URI just identifies the server.
JSON-RPC is similar to XML-RPC
.
Data types
Common datatypes are converted into their XML equivalents with example values shown below:
Name Tag Example Description
array
1404 Something here 1
Array of values, storing no keys
base64
eW91IGNhbid0IHJlYWQgdGhpcyE=
Base64-encoded binary data
boolean
1
Boolean logical value (0 or 1)
date/time
19980717T14:08:55Z
Date and time in ISO 8601 format
double
-12.53
Double precision floating point number
integer
42
or
42
Whole number, integer
string
Hello world!
or
Hello world!
String of characters. Must follow XML encoding.
struct
foo 1 bar 2
Associative array
nil
Discriminated null value; an XML-RPC extension
Examples[edit]
An example of a typical XML-RPC request would be:
examples.getStateName 40
An example of a typical XML-RPC response would be:
South Dakota
A typical XML-RPC fault would be:
faultCode 4 faultString Too many parameters
.
Criticism
Recent critics (from 2010 and onwards) of XML-RPC argue that RPC calls can be made with plain XML, and that XML-RPC does not add any value over XML.
Both XML-RPC and XML require an application-level data model, such as which field names are defined in the XML schema or the parameter names in XML-RPC.
Furthermore, XML-RPC uses about 4 times the number of bytes compared to plain XML to encode the same objects, which is itself verbose compared to JSON
.
See also[edit]
Ajax (programming)
Component technologies
Comparison of data serialization formats
OPML
JSON-RPC
Web service
gRPC
References[edit]
^ Simon St. Laurent, Joe Johnston, Edd Dumbill. (June 2001) Programming Web Services with XML-RPC. O’Reilly. First Edition.
^ Box, Don (1 April 2001). “A Brief History of SOAP”. O’Reilly. Retrieved 27 October 2010.
^ Rupley, Sebastian (30 June 1999). “XML’s Next Step”. PC Magazine. Archived from the original on 4 March 2000. Retrieved 17 November 2015.
^ Jump up to: a b Walsh, Jeff (10 July 1999). “Microsoft spearheads protocol push”. Infoworld. Archived from the original on 14 September 1999. Retrieved 17 November 2015.
^ Walsh, Jeff (29 June 1998). “UserLand releases Frontier 5.1, drops freeware model”. InfoWorld. Archived from the original on 15 September 1999. Retrieved 17 November 2015.
^ Udell, Jon (7 June 1999). “Exploring XML-RPC: DCOM? CORBA? RMI? Why Not Just XML-RPC?”. Byte. Archived from the original on 4 March 2000. Retrieved 17 November 2015.
^ Walsh, Jeff (25 May 1998). “W3C gives a nod to DataChannel’s WebBroker”. Infoworld. 20 (21). Archived from the original on 10 September 1999. Retrieved 17 November 2015.
^ Vizard, Michael; Walsh, Jeff (29 June 1998). “DataChannel’s Dave Pool talks about shaping the role of XML to suit different needs”. Infoworld. Archived from the original on 16 September 1999. Retrieved 8 December 2015.
^ Merrick; et al. (11 April 2006). “US Patent 7,028,312”. Retrieved 18 September 2008.
^ “What is the benefit of XML-RPC over plain XML?”. Stack Overflow. 9 September 2009. Retrieved 7 April 2011.
^ “An open poll on the merits of XmlRpc versus alternatives”. www.intertwingly.net. 22 November 2006. Retrieved 7 April 2011.
^ Jon Canady (14 January 2010). “If you have REST, why XML-RPC?”. joncanady.com. Archived from the original on 11 May 2013. Retrieved 7 April 2011.
External links[edit]
Official website
en.wikipedia.org /wiki/XML-RPC
XML-RPC
Contributors to Wikimedia projects7-9 minutes 9/5/2002
Not to be confused with the use of XML for RPC, independently of the specific protocol.
This article is about the protocol named “XML-RPC”
.
*DANGERS OF XML-RPC*
(via ‘wordpress scan’ plug-in)
blog.wpscan.com /is-wordpress-xmlrpc-a-security-problem/
Is WordPress XMLRPC a security problem? – WPScan WordPress Security
Published by wpscanteam View all posts by wpscanteam5-6 minutes 6/29/2021
What is WordPress XMLRPC?
WordPress XMLRPC allows other websites and software to interact with your WordPress website.
Also known as an API.
Some examples include creating new posts, adding comments, deleting pages and probably most commonly used in WordPress, pingbacks.
As the name suggests, XMLRPC works by sending and receiving XML data.
In WordPress, the file responsible for XMLRPC is called xmlrpc.php.
This is the file that will receive XML data, process it and return the response, also in XML
.
What does an XML-RPC request look like?
A typical API request body looks like the following:
demo.sayHello
The xmlrpc.php file needs the valid XML sent to it as a POST request. The easiest way to do this in Linux is to use cURL. The following command will send the XML contained within the ‘demo.sayHello.txt’ file as a POST request to the remote WordPress API:
curl –data @demo.sayHello.txt http://www.example.com/xmlrpc.php
.
Which should return a response that looks like this:
Hello!
What are the security risks with leaving WordPress XMLRPC enabled?
Over the years there have been many security issues that have affected the WordPress XMLRPC API. A quick search on wpscan.com shows the following vulnerabilities:
XML-RPC Search on wpscan.com
The vulnerabilities go as far back as WordPress 1.5.1.2 and include SQL Injection vulnerabilities, Server-Side Request Forgery (CSRF) vulnerabilities, Denial of Service (DoS) vulnerabilities and others.
How to disable XML-RPC
There are many security plugins available that will attempt to disable WordPress’s XML-RPC interface, such as the Disable XML-RPC plugin. However, we found out during implementing the XMLRPC check in our own WordPress security plugin, that many of the plugins that claim to disable XMLRPC don’t do so completely. Instead, they only prevent authentication on the XMLRPC interface, which only blocks access to the authenticated methods, leaving the unauthenticated methods still publicly accessible.
Disabling authentication on the XMLRPC interface does decrease the attack surface significantly, as most of the dangerous functions require authentication. But this still leaves the unauthenticated methods wide open, and we have seen very serious vulnerabilities affect the unauthenticated methods in the past, such as the pingback Server-Side Request Forgery vulnerability.
The only way to be 100% sure that access to the xmlrpc.php file is completely blocked is to do so from the webserver configuration. Some examples for the most popular webservers are given below.
Nginx
To block access to xmlrpc in nginx use the following configuration:
location = /xmlrpc.php {
deny all;
return 404;
}
Apache
If you have access to your main Apache configuration file, use the code below there. Alternatively, create a file named .htaccess in your WordPress directory with the following contents:
Require all denied
From within the source code
Scott Brown Consulting documented a way to disable XML-RPC from within WordPress or a WordPress plugin, which hooks the xmlrpc_methods filter, as shown below.
// disable xmlrpc
function remove_xmlrpc_methods( $methods ) {
return array();
}
add_filter( ‘xmlrpc_methods’, ‘remove_xmlrpc_methods’ );
Read their full write up here.
Checking if XML-RPC is disabled
Our WordPress security plugin will detect if XMLRPC is enabled or not. Our plugin will also go as far as testing if both authenticated and unauthenticated access is blocked, or not.
As we mentioned above, most plugins will still allow unauthenticated methods, which have been known to be affected by serious security issues in the past.
We will show this warning if XMLRPC is completely enabled (both authenticated and unauthenticated):
WordPress XMLRPC enabled
We will show this warning if XMLRPC is partially disabled (still allows unauthenticated methods):
WordPress XMLRPC enabled
.
*conclusions*
When enabled, XMLRPC increases your WordPress website’s attack surface, as attackers have more “windows” to try to break through.
We can be pretty confident that in the latest version of WordPress that XMLRPC is secure enough.
That being said, we do recommend that it be disabled with webserver configurations, as in the majority of cases, WordPress XMLRPC is hardly used
Some plugins may claim that they have disabled the XML-RPC interface, but in some cases, this can be misleading, and leave unauthenticated methods accessible.
To check if your WordPress XML-RPC is properly disabled, run a free scan with our ‘WordPress security plugin’*
.
.
💲🤑*SALES PITCH ALERT*🤑💲
.
.
*👨🔬🕵️♀️🙇♀️*SKETCHES*🙇♂️👩🔬🕵️♂️*
.
.
.
👈👈👈☜*-THE [WORLD WIDE WEB]-* ☞ 👉👉👉
.
.
💕💝💖💓🖤💙🖤💙🖤💙🖤❤️💚💛🧡❣️💞💔💘❣️🧡💛💚❤️🖤💜🖤💙🖤💙🖤💗💖💝💘
.
.
*🌈✨ *TABLE OF CONTENTS* ✨🌷*
.
.
🔥🔥🔥🔥🔥🔥*we won the war* 🔥🔥🔥🔥🔥🔥