xmlrpc.client and xmlrpc.server. ServerProxy RPCs execute arbitrary methods — dispatch on untrusted method names is a sink. ServerProxy + HTTP (not HTTPS) transmits credentials in plaintext.
.ServerProxy().loads().ServerProxy()Sinkxmlrpc.client.ServerProxy(uri, transport=None, encoding=None, verbose=False, ...) -> ServerProxy
Opens an XML-RPC connection. Finding on http:// URIs (credentials in plaintext).
0.loads()Sinkxmlrpc.client.loads(data, use_datetime=False, use_builtin_types=False) -> (params, methodname)
Parses an XML-RPC response. Inherits XXE surface from the XML parser.
0| FQN | Field | |
|---|---|---|
| xmlrpc.client | fqns[0] | |
| xmlrpc.server | fqns[1] |
Wrong FQN → 0 findings. Verify with: change fqns to garbage → must produce 0 results.
from codepathfinder.go_rule import PyXmlrpc