Vulnerabilities > CVE-2013-1643 - Information Exposure vulnerability in PHP
Attack vector
UNKNOWN Attack complexity
UNKNOWN Privileges required
UNKNOWN Confidentiality impact
UNKNOWN Integrity impact
UNKNOWN Availability impact
UNKNOWN Summary
The SOAP parser in PHP before 5.3.23 and 5.4.x before 5.4.13 allows remote attackers to read arbitrary files via a SOAP WSDL file containing an XML external entity declaration in conjunction with an entity reference, related to an XML External Entity (XXE) issue in the soap_xmlParseFile and soap_xmlParseMemory functions. NOTE: this vulnerability exists because of an incorrect fix for CVE-2013-1824.
Vulnerable Configurations
Common Weakness Enumeration (CWE)
Common Attack Pattern Enumeration and Classification (CAPEC)
- Subverting Environment Variable Values The attacker directly or indirectly modifies environment variables used by or controlling the target software. The attacker's goal is to cause the target software to deviate from its expected operation in a manner that benefits the attacker.
- Footprinting An attacker engages in probing and exploration activity to identify constituents and properties of the target. Footprinting is a general term to describe a variety of information gathering techniques, often used by attackers in preparation for some attack. It consists of using tools to learn as much as possible about the composition, configuration, and security mechanisms of the targeted application, system or network. Information that might be collected during a footprinting effort could include open ports, applications and their versions, network topology, and similar information. While footprinting is not intended to be damaging (although certain activities, such as network scans, can sometimes cause disruptions to vulnerable applications inadvertently) it may often pave the way for more damaging attacks.
- Exploiting Trust in Client (aka Make the Client Invisible) An attack of this type exploits a programs' vulnerabilities in client/server communication channel authentication and data integrity. It leverages the implicit trust a server places in the client, or more importantly, that which the server believes is the client. An attacker executes this type of attack by placing themselves in the communication channel between client and server such that communication directly to the server is possible where the server believes it is communicating only with a valid client. There are numerous variations of this type of attack.
- Browser Fingerprinting An attacker carefully crafts small snippets of Java Script to efficiently detect the type of browser the potential victim is using. Many web-based attacks need prior knowledge of the web browser including the version of browser to ensure successful exploitation of a vulnerability. Having this knowledge allows an attacker to target the victim with attacks that specifically exploit known or zero day weaknesses in the type and version of the browser used by the victim. Automating this process via Java Script as a part of the same delivery system used to exploit the browser is considered more efficient as the attacker can supply a browser fingerprinting method and integrate it with exploit code, all contained in Java Script and in response to the same web page request by the browser.
- Session Credential Falsification through Prediction This attack targets predictable session ID in order to gain privileges. The attacker can predict the session ID used during a transaction to perform spoofing and session hijacking.
Nessus
NASL family Debian Local Security Checks NASL id DEBIAN_DSA-2639.NASL description Several vulnerabilities have been discovered in PHP, the web scripting language. The Common Vulnerabilities and Exposures project identifies the following issues : - CVE-2013-1635 If a PHP application accepted untrusted SOAP object input remotely from clients, an attacker could read system files readable for the webserver. - CVE-2013-1643 The soap.wsdl_cache_dir function did not take PHP open_basedir restrictions into account. Note that Debian advises against relying on open_basedir restrictions for security. last seen 2020-03-17 modified 2013-03-06 plugin id 65033 published 2013-03-06 reporter This script is Copyright (C) 2013-2020 and is owned by Tenable, Inc. or an Affiliate thereof. source https://www.tenable.com/plugins/nessus/65033 title Debian DSA-2639-1 : php5 - several vulnerabilities NASL family Scientific Linux Local Security Checks NASL id SL_20130930_PHP53_ON_SL5_X.NASL description It was found that PHP did not properly handle file names with a NULL character. A remote attacker could possibly use this flaw to make a PHP script access unexpected files and bypass intended file system access restrictions. (CVE-2006-7243) It was found that PHP did not check for carriage returns in HTTP headers, allowing intended HTTP response splitting protections to be bypassed. Depending on the web browser the victim is using, a remote attacker could use this flaw to perform HTTP response splitting attacks. (CVE-2011-1398) A flaw was found in PHP last seen 2020-03-18 modified 2013-10-11 plugin id 70389 published 2013-10-11 reporter This script is Copyright (C) 2013-2020 and is owned by Tenable, Inc. or an Affiliate thereof. source https://www.tenable.com/plugins/nessus/70389 title Scientific Linux Security Update : php53 on SL5.x i386/x86_64 (20130930) NASL family Fedora Local Security Checks NASL id FEDORA_2013-3927.NASL description Upstream NEWS, 14 Mar 2012, PHP 5.4.13 Core : - Fixed bug #64235 (Insteadof not work for class method in 5.4.11). (Laruence) - Implemented FR #64175 (Added HTTP codes as of RFC 6585). (Jonh Wendell) - Fixed bug #64142 (dval to lval different behavior on ppc64). (Remi) - Fixed bug #64070 (Inheritance with Traits failed with error). (Dmitry) CLI server : - Fixed bug #64128 (buit-in web server is broken on ppc64). (Remi) Mbstring : - mb_split() can now handle empty matches like preg_split() does. (Moriyoshi) OpenSSL : - Fixed bug #61930 (openssl corrupts ssl key resource when using openssl_get_publickey()). (Stas) PDO_mysql : - Fixed bug #60840 (undefined symbol: mysqlnd_debug_std_no_trace_funcs). (Johannes) Phar : - Fixed timestamp update on Phar contents modification. (Dmitry) SOAP : - Added check that soap.wsdl_cache_dir conforms to open_basedir (CVE-2013-1635). (Dmitry) - Disabled external entities loading (CVE-2013-1643). (Dmitry) SPL : - Fixed bug #64264 (SPLFixedArray toArray problem). (Laruence) - Fixed bug #64228 (RecursiveDirectoryIterator always assumes SKIP_DOTS). (patch by kriss at krizalys.com, Laruence) - Fixed bug #64106 (Segfault on SplFixedArray[][x] = y when extended). (Nikita Popov) - Fixed bug #52861 (unset fails with ArrayObject and deep arrays). (Mike Willbanks) SNMP : - Fixed bug #64124 (IPv6 malformed). (Boris Lytochkin) Note that Tenable Network Security has extracted the preceding description block directly from the Fedora security advisory. Tenable has attempted to automatically clean and format it as much as possible without introducing additional issues. last seen 2020-03-17 modified 2013-04-03 plugin id 65774 published 2013-04-03 reporter This script is Copyright (C) 2013-2020 and is owned by Tenable, Inc. or an Affiliate thereof. source https://www.tenable.com/plugins/nessus/65774 title Fedora 17 : php-5.4.13-1.fc17 (2013-3927) NASL family CGI abuses NASL id PHP_5_4_13.NASL description According to its banner, the version of PHP 5.4.x installed on the remote host is prior to 5.4.13. It is, therefore, potentially affected by an information disclosure vulnerability. The 5.4.12 fix for CVE-2013-1635 / CVE-2013-1643 was incomplete and an error still exists in the files last seen 2020-06-01 modified 2020-06-02 plugin id 66585 published 2013-05-24 reporter This script is Copyright (C) 2013-2019 and is owned by Tenable, Inc. or an Affiliate thereof. source https://www.tenable.com/plugins/nessus/66585 title PHP 5.4.x < 5.4.13 Information Disclosure NASL family Scientific Linux Local Security Checks NASL id SL_20131211_PHP_ON_SL5_X.NASL description A memory corruption flaw was found in the way the openssl_x509_parse() function of the PHP openssl extension parsed X.509 certificates. A remote attacker could use this flaw to provide a malicious self-signed certificate or a certificate signed by a trusted authority to a PHP application using the aforementioned function, causing the application to crash or, possibly, allow the attacker to execute arbitrary code with the privileges of the user running the PHP interpreter. (CVE-2013-6420) It was found that PHP did not check for carriage returns in HTTP headers, allowing intended HTTP response splitting protections to be bypassed. Depending on the web browser the victim is using, a remote attacker could use this flaw to perform HTTP response splitting attacks. (CVE-2011-1398) An integer signedness issue, leading to a heap-based buffer underflow, was found in the PHP scandir() function. If a remote attacker could upload an excessively large number of files to a directory the scandir() function runs on, it could cause the PHP interpreter to crash or, possibly, execute arbitrary code. (CVE-2012-2688) It was found that the PHP SOAP parser allowed the expansion of external XML entities during SOAP message parsing. A remote attacker could possibly use this flaw to read arbitrary files that are accessible to a PHP application using a SOAP extension. (CVE-2013-1643) After installing the updated packages, the httpd daemon must be restarted for the update to take effect. last seen 2020-03-18 modified 2013-12-12 plugin id 71373 published 2013-12-12 reporter This script is Copyright (C) 2013-2020 and is owned by Tenable, Inc. or an Affiliate thereof. source https://www.tenable.com/plugins/nessus/71373 title Scientific Linux Security Update : php on SL5.x i386/x86_64 (20131211) NASL family CGI abuses NASL id PHP_5_3_22.NASL description According to its banner, the version of PHP 5.3.x installed on the remote host is prior to 5.3.22. It is, therefore, potentially affected by the following vulnerabilities : - An error exists in the file last seen 2020-06-01 modified 2020-06-02 plugin id 64992 published 2013-03-04 reporter This script is Copyright (C) 2013-2018 Tenable Network Security, Inc. source https://www.tenable.com/plugins/nessus/64992 title PHP 5.3.x < 5.3.22 Multiple Vulnerabilities NASL family Mandriva Local Security Checks NASL id MANDRIVA_MDVSA-2013-114.NASL description Multiple vulnerabilities has been discovered and corrected in php : ext/soap/soap.c in PHP before 5.3.22 and 5.4.x before 5.4.13 does not validate the relationship between the soap.wsdl_cache_dir directive and the open_basedir directive, which allows remote attackers to bypass intended access restrictions by triggering the creation of cached SOAP WSDL files in an arbitrary directory (CVE-2013-1635). The SOAP parser in PHP before 5.3.22 and 5.4.x before 5.4.13 allows remote attackers to read arbitrary files via a SOAP WSDL file containing an XML external entity declaration in conjunction with an entity reference, related to an XML External Entity (XXE) issue in the soap_xmlParseFile and soap_xmlParseMemory functions (CVE-2013-1643). Backported upstream php bug #61930: last seen 2020-06-01 modified 2020-06-02 plugin id 66126 published 2013-04-20 reporter This script is Copyright (C) 2013-2019 and is owned by Tenable, Inc. or an Affiliate thereof. source https://www.tenable.com/plugins/nessus/66126 title Mandriva Linux Security Advisory : php (MDVSA-2013:114) NASL family CentOS Local Security Checks NASL id CENTOS_RHSA-2013-1814.NASL description Updated php packages that fix multiple security issues are now available for Red Hat Enterprise Linux 5. The Red Hat Security Response Team has rated this update as having critical security impact. Common Vulnerability Scoring System (CVSS) base scores, which give detailed severity ratings, are available for each vulnerability from the CVE links in the References section. PHP is an HTML-embedded scripting language commonly used with the Apache HTTP Server. A memory corruption flaw was found in the way the openssl_x509_parse() function of the PHP openssl extension parsed X.509 certificates. A remote attacker could use this flaw to provide a malicious self-signed certificate or a certificate signed by a trusted authority to a PHP application using the aforementioned function, causing the application to crash or, possibly, allow the attacker to execute arbitrary code with the privileges of the user running the PHP interpreter. (CVE-2013-6420) It was found that PHP did not check for carriage returns in HTTP headers, allowing intended HTTP response splitting protections to be bypassed. Depending on the web browser the victim is using, a remote attacker could use this flaw to perform HTTP response splitting attacks. (CVE-2011-1398) An integer signedness issue, leading to a heap-based buffer underflow, was found in the PHP scandir() function. If a remote attacker could upload an excessively large number of files to a directory the scandir() function runs on, it could cause the PHP interpreter to crash or, possibly, execute arbitrary code. (CVE-2012-2688) It was found that the PHP SOAP parser allowed the expansion of external XML entities during SOAP message parsing. A remote attacker could possibly use this flaw to read arbitrary files that are accessible to a PHP application using a SOAP extension. (CVE-2013-1643) Red Hat would like to thank the PHP project for reporting CVE-2013-6420. Upstream acknowledges Stefan Esser as the original reporter. All php users are advised to upgrade to these updated packages, which contain backported patches to correct these issues. After installing the updated packages, the httpd daemon must be restarted for the update to take effect. last seen 2020-06-01 modified 2020-06-02 plugin id 71356 published 2013-12-12 reporter This script is Copyright (C) 2013-2020 and is owned by Tenable, Inc. or an Affiliate thereof. source https://www.tenable.com/plugins/nessus/71356 title CentOS 5 : php (CESA-2013:1814) NASL family MacOS X Local Security Checks NASL id MACOSX_SECUPD2013-004.NASL description The remote host is running a version of Mac OS X 10.6 or 10.7 that does not have Security Update 2013-004 applied. This update contains several security-related fixes for the following component : - Apache - Bind - Certificate Trust Policy - ClamAV - Installer - IPSec - Mobile Device Management - OpenSSL - PHP - PostgreSQL - QuickTime - sudo Note that successful exploitation of the most serious issues could result in arbitrary code execution. last seen 2020-06-01 modified 2020-06-02 plugin id 69878 published 2013-09-13 reporter This script is Copyright (C) 2013-2018 Tenable Network Security, Inc. source https://www.tenable.com/plugins/nessus/69878 title Mac OS X Multiple Vulnerabilities (Security Update 2013-004) NASL family MacOS X Local Security Checks NASL id MACOSX_10_8_5.NASL description The remote host is running a version of Mac OS X 10.8.x that is prior to 10.8.5. The newer version contains multiple security-related fixes for the following components : - Apache - Bind - Certificate Trust Policy - CoreGraphics - ImageIO - Installer - IPSec - Kernel - Mobile Device Management - OpenSSL - PHP - PostgreSQL - Power Management - QuickTime - Screen Lock - sudo This update also addresses an issue in which certain Unicode strings could cause applications to unexpectedly quit. Note that successful exploitation of the most serious issues could result in arbitrary code execution. last seen 2020-06-01 modified 2020-06-02 plugin id 69877 published 2013-09-13 reporter This script is Copyright (C) 2013-2018 Tenable Network Security, Inc. source https://www.tenable.com/plugins/nessus/69877 title Mac OS X 10.8.x < 10.8.5 Multiple Vulnerabilities NASL family SuSE Local Security Checks NASL id SUSE_11_APACHE2-MOD_PHP53-130718.NASL description The following security issues have been fixed : - (bnc#828020):. (CVE-2013-4635) - Integer overflow in SdnToJewish() - (bnc#829207):. (CVE-2013-4113) - heap corruption due to badly formed xml last seen 2020-06-05 modified 2013-08-10 plugin id 69296 published 2013-08-10 reporter This script is Copyright (C) 2013-2020 Tenable Network Security, Inc. source https://www.tenable.com/plugins/nessus/69296 title SuSE 11.2 / 11.3 Security Update : PHP5 (SAT Patch Numbers 8087 / 8088) NASL family CGI abuses NASL id PHP_5_3_23.NASL description According to its banner, the version of PHP 5.3.x installed on the remote host is prior to 5.3.23. It is, therefore, potentially affected by multiple vulnerabilities: - An error exists in the file last seen 2020-06-01 modified 2020-06-02 plugin id 66584 published 2013-05-24 reporter This script is Copyright (C) 2013-2019 and is owned by Tenable, Inc. or an Affiliate thereof. source https://www.tenable.com/plugins/nessus/66584 title PHP 5.3.x < 5.3.23 Multiple Vulnerabilities NASL family Red Hat Local Security Checks NASL id REDHAT-RHSA-2013-1814.NASL description Updated php packages that fix multiple security issues are now available for Red Hat Enterprise Linux 5. The Red Hat Security Response Team has rated this update as having critical security impact. Common Vulnerability Scoring System (CVSS) base scores, which give detailed severity ratings, are available for each vulnerability from the CVE links in the References section. PHP is an HTML-embedded scripting language commonly used with the Apache HTTP Server. A memory corruption flaw was found in the way the openssl_x509_parse() function of the PHP openssl extension parsed X.509 certificates. A remote attacker could use this flaw to provide a malicious self-signed certificate or a certificate signed by a trusted authority to a PHP application using the aforementioned function, causing the application to crash or, possibly, allow the attacker to execute arbitrary code with the privileges of the user running the PHP interpreter. (CVE-2013-6420) It was found that PHP did not check for carriage returns in HTTP headers, allowing intended HTTP response splitting protections to be bypassed. Depending on the web browser the victim is using, a remote attacker could use this flaw to perform HTTP response splitting attacks. (CVE-2011-1398) An integer signedness issue, leading to a heap-based buffer underflow, was found in the PHP scandir() function. If a remote attacker could upload an excessively large number of files to a directory the scandir() function runs on, it could cause the PHP interpreter to crash or, possibly, execute arbitrary code. (CVE-2012-2688) It was found that the PHP SOAP parser allowed the expansion of external XML entities during SOAP message parsing. A remote attacker could possibly use this flaw to read arbitrary files that are accessible to a PHP application using a SOAP extension. (CVE-2013-1643) Red Hat would like to thank the PHP project for reporting CVE-2013-6420. Upstream acknowledges Stefan Esser as the original reporter. All php users are advised to upgrade to these updated packages, which contain backported patches to correct these issues. After installing the updated packages, the httpd daemon must be restarted for the update to take effect. last seen 2020-06-01 modified 2020-06-02 plugin id 71337 published 2013-12-11 reporter This script is Copyright (C) 2013-2019 and is owned by Tenable, Inc. or an Affiliate thereof. source https://www.tenable.com/plugins/nessus/71337 title RHEL 5 : php (RHSA-2013:1814) NASL family CentOS Local Security Checks NASL id CENTOS_RHSA-2013-1307.NASL description Updated php53 packages that fix multiple security issues, several bugs, and add one enhancement are now available for Red Hat Enterprise Linux 5. The Red Hat Security Response Team has rated this update as having moderate security impact. Common Vulnerability Scoring System (CVSS) base scores, which give detailed severity ratings, are available for each vulnerability from the CVE links in the References section. PHP is an HTML-embedded scripting language commonly used with the Apache HTTP Server. It was found that PHP did not properly handle file names with a NULL character. A remote attacker could possibly use this flaw to make a PHP script access unexpected files and bypass intended file system access restrictions. (CVE-2006-7243) It was found that PHP did not check for carriage returns in HTTP headers, allowing intended HTTP response splitting protections to be bypassed. Depending on the web browser the victim is using, a remote attacker could use this flaw to perform HTTP response splitting attacks. (CVE-2011-1398) A flaw was found in PHP last seen 2020-06-01 modified 2020-06-02 plugin id 79149 published 2014-11-12 reporter This script is Copyright (C) 2014-2020 and is owned by Tenable, Inc. or an Affiliate thereof. source https://www.tenable.com/plugins/nessus/79149 title CentOS 5 : php53 (CESA-2013:1307) NASL family SuSE Local Security Checks NASL id SUSE_11_APACHE2-MOD_PHP53-130717.NASL description The following security issues have been fixed : - (bnc#828020):. (CVE-2013-4635) - Integer overflow in SdnToJewish() - (bnc#829207):. (CVE-2013-4113) - heap corruption due to badly formed xml last seen 2020-06-05 modified 2013-08-10 plugin id 69295 published 2013-08-10 reporter This script is Copyright (C) 2013-2020 Tenable Network Security, Inc. source https://www.tenable.com/plugins/nessus/69295 title SuSE 11.2 / 11.3 Security Update : PHP5 (SAT Patch Numbers 8087 / 8088) NASL family Oracle Linux Local Security Checks NASL id ORACLELINUX_ELSA-2013-1814.NASL description From Red Hat Security Advisory 2013:1814 : Updated php packages that fix multiple security issues are now available for Red Hat Enterprise Linux 5. The Red Hat Security Response Team has rated this update as having critical security impact. Common Vulnerability Scoring System (CVSS) base scores, which give detailed severity ratings, are available for each vulnerability from the CVE links in the References section. PHP is an HTML-embedded scripting language commonly used with the Apache HTTP Server. A memory corruption flaw was found in the way the openssl_x509_parse() function of the PHP openssl extension parsed X.509 certificates. A remote attacker could use this flaw to provide a malicious self-signed certificate or a certificate signed by a trusted authority to a PHP application using the aforementioned function, causing the application to crash or, possibly, allow the attacker to execute arbitrary code with the privileges of the user running the PHP interpreter. (CVE-2013-6420) It was found that PHP did not check for carriage returns in HTTP headers, allowing intended HTTP response splitting protections to be bypassed. Depending on the web browser the victim is using, a remote attacker could use this flaw to perform HTTP response splitting attacks. (CVE-2011-1398) An integer signedness issue, leading to a heap-based buffer underflow, was found in the PHP scandir() function. If a remote attacker could upload an excessively large number of files to a directory the scandir() function runs on, it could cause the PHP interpreter to crash or, possibly, execute arbitrary code. (CVE-2012-2688) It was found that the PHP SOAP parser allowed the expansion of external XML entities during SOAP message parsing. A remote attacker could possibly use this flaw to read arbitrary files that are accessible to a PHP application using a SOAP extension. (CVE-2013-1643) Red Hat would like to thank the PHP project for reporting CVE-2013-6420. Upstream acknowledges Stefan Esser as the original reporter. All php users are advised to upgrade to these updated packages, which contain backported patches to correct these issues. After installing the updated packages, the httpd daemon must be restarted for the update to take effect. last seen 2020-06-01 modified 2020-06-02 plugin id 71367 published 2013-12-12 reporter This script is Copyright (C) 2013-2019 and is owned by Tenable, Inc. or an Affiliate thereof. source https://www.tenable.com/plugins/nessus/71367 title Oracle Linux 5 : php (ELSA-2013-1814) NASL family Scientific Linux Local Security Checks NASL id SL_20131121_PHP_ON_SL6_X.NASL description It was found that PHP did not properly handle file names with a NULL character. A remote attacker could possibly use this flaw to make a PHP script access unexpected files and bypass intended file system access restrictions. (CVE-2006-7243) A flaw was found in PHP last seen 2020-03-18 modified 2013-12-04 plugin id 71198 published 2013-12-04 reporter This script is Copyright (C) 2013-2020 and is owned by Tenable, Inc. or an Affiliate thereof. source https://www.tenable.com/plugins/nessus/71198 title Scientific Linux Security Update : php on SL6.x i386/x86_64 (20131121) NASL family SuSE Local Security Checks NASL id SUSE_11_APACHE2-MOD_PHP5-130718.NASL description The following security issues have been fixed : - (bnc#828020):. (CVE-2013-4635) - Integer overflow in SdnToJewish() - (bnc#807707):. (CVE-2013-1635 / CVE-2013-1643) - reading system files via untrusted SOAP input - soap.wsdl_cache_dir function did not honour PHP open_basedir - (bnc#829207):. (CVE-2013-4113) - heap corruption due to badly formed xml last seen 2020-06-05 modified 2013-08-10 plugin id 69294 published 2013-08-10 reporter This script is Copyright (C) 2013-2020 Tenable Network Security, Inc. source https://www.tenable.com/plugins/nessus/69294 title SuSE 11.2 Security Update : PHP5 (SAT Patch Number 8086) NASL family Oracle Linux Local Security Checks NASL id ORACLELINUX_ELSA-2013-1615.NASL description From Red Hat Security Advisory 2013:1615 : Updated php packages that fix three security issues, several bugs, and add one enhancement are now available for Red Hat Enterprise Linux 6. The Red Hat Security Response Team has rated this update as having moderate security impact. Common Vulnerability Scoring System (CVSS) base scores, which give detailed severity ratings, are available for each vulnerability from the CVE links in the References section. PHP is an HTML-embedded scripting language commonly used with the Apache HTTP Server. It was found that PHP did not properly handle file names with a NULL character. A remote attacker could possibly use this flaw to make a PHP script access unexpected files and bypass intended file system access restrictions. (CVE-2006-7243) A flaw was found in PHP last seen 2020-06-01 modified 2020-06-02 plugin id 71107 published 2013-11-27 reporter This script is Copyright (C) 2013-2019 and is owned by Tenable, Inc. or an Affiliate thereof. source https://www.tenable.com/plugins/nessus/71107 title Oracle Linux 6 : php (ELSA-2013-1615) NASL family Red Hat Local Security Checks NASL id REDHAT-RHSA-2013-1307.NASL description Updated php53 packages that fix multiple security issues, several bugs, and add one enhancement are now available for Red Hat Enterprise Linux 5. The Red Hat Security Response Team has rated this update as having moderate security impact. Common Vulnerability Scoring System (CVSS) base scores, which give detailed severity ratings, are available for each vulnerability from the CVE links in the References section. PHP is an HTML-embedded scripting language commonly used with the Apache HTTP Server. It was found that PHP did not properly handle file names with a NULL character. A remote attacker could possibly use this flaw to make a PHP script access unexpected files and bypass intended file system access restrictions. (CVE-2006-7243) It was found that PHP did not check for carriage returns in HTTP headers, allowing intended HTTP response splitting protections to be bypassed. Depending on the web browser the victim is using, a remote attacker could use this flaw to perform HTTP response splitting attacks. (CVE-2011-1398) A flaw was found in PHP last seen 2020-06-01 modified 2020-06-02 plugin id 70244 published 2013-10-01 reporter This script is Copyright (C) 2013-2019 and is owned by Tenable, Inc. or an Affiliate thereof. source https://www.tenable.com/plugins/nessus/70244 title RHEL 5 : php53 (RHSA-2013:1307) NASL family Solaris Local Security Checks NASL id SOLARIS11_PHP_20140401.NASL description The remote Solaris system is missing necessary patches to address security updates : - Session fixation vulnerability in the Sessions subsystem in PHP before 5.5.2 allows remote attackers to hijack web sessions by specifying a session ID. (CVE-2011-4718) - Unspecified vulnerability in the _php_stream_scandir function in the stream implementation in PHP before 5.3.15 and 5.4.x before 5.4.5 has unknown impact and remote attack vectors, related to an last seen 2020-06-01 modified 2020-06-02 plugin id 80736 published 2015-01-19 reporter This script is Copyright (C) 2015-2018 Tenable Network Security, Inc. source https://www.tenable.com/plugins/nessus/80736 title Oracle Solaris Third-Party Patch Update : php (cve_2013_4113_buffer_errors) NASL family FreeBSD Local Security Checks NASL id FREEBSD_PKG_1D23109A900511E29602D43D7E0C7C02.NASL description The PHP development team reports : PHP does not validate the relationship between the soap.wsdl_cache_dir directive and the open_basedir directive, which allows remote attackers to bypass intended access restrictions by triggering the creation of cached SOAP WSDL files in an arbitrary directory. The SOAP parser in PHP allows remote attackers to read arbitrary files via a SOAP WSDL file containing an XML external entity declaration in conjunction with an entity reference, related to an XML External Entity (XXE) issue in the soap_xmlParseFile and soap_xmlParseMemory functions. last seen 2020-06-01 modified 2020-06-02 plugin id 65623 published 2013-03-20 reporter This script is Copyright (C) 2013-2018 and is owned by Tenable, Inc. or an Affiliate thereof. source https://www.tenable.com/plugins/nessus/65623 title FreeBSD : php5 -- Multiple vulnerabilities (1d23109a-9005-11e2-9602-d43d7e0c7c02) NASL family Red Hat Local Security Checks NASL id REDHAT-RHSA-2013-1615.NASL description Updated php packages that fix three security issues, several bugs, and add one enhancement are now available for Red Hat Enterprise Linux 6. The Red Hat Security Response Team has rated this update as having moderate security impact. Common Vulnerability Scoring System (CVSS) base scores, which give detailed severity ratings, are available for each vulnerability from the CVE links in the References section. PHP is an HTML-embedded scripting language commonly used with the Apache HTTP Server. It was found that PHP did not properly handle file names with a NULL character. A remote attacker could possibly use this flaw to make a PHP script access unexpected files and bypass intended file system access restrictions. (CVE-2006-7243) A flaw was found in PHP last seen 2020-06-01 modified 2020-06-02 plugin id 71010 published 2013-11-21 reporter This script is Copyright (C) 2013-2019 and is owned by Tenable, Inc. or an Affiliate thereof. source https://www.tenable.com/plugins/nessus/71010 title RHEL 6 : php (RHSA-2013:1615) NASL family Ubuntu Local Security Checks NASL id UBUNTU_USN-1761-1.NASL description It was discovered that PHP incorrectly handled XML external entities in SOAP WSDL files. A remote attacker could use this flaw to read arbitrary files off the server. Note that Tenable Network Security has extracted the preceding description block directly from the Ubuntu security advisory. Tenable has attempted to automatically clean and format it as much as possible without introducing additional issues. last seen 2020-06-01 modified 2020-06-02 plugin id 65547 published 2013-03-14 reporter Ubuntu Security Notice (C) 2013-2019 Canonical, Inc. / NASL script (C) 2013-2019 and is owned by Tenable, Inc. or an Affiliate thereof. source https://www.tenable.com/plugins/nessus/65547 title Ubuntu 8.04 LTS / 10.04 LTS / 11.10 / 12.04 LTS / 12.10 : php5 vulnerability (USN-1761-1) NASL family Gentoo Local Security Checks NASL id GENTOO_GLSA-201408-11.NASL description The remote host is affected by the vulnerability described in GLSA-201408-11 (PHP: Multiple vulnerabilities) Multiple vulnerabilities have been discovered in PHP. Please review the CVE identifiers referenced below for details. Impact : A context-dependent attacker can cause arbitrary code execution, create a Denial of Service condition, read or write arbitrary files, impersonate other servers, hijack a web session, or have other unspecified impact. Additionally, a local attacker could gain escalated privileges. Workaround : There is no known workaround at this time. last seen 2020-06-01 modified 2020-06-02 plugin id 77455 published 2014-08-30 reporter This script is Copyright (C) 2014-2018 Tenable Network Security, Inc. source https://www.tenable.com/plugins/nessus/77455 title GLSA-201408-11 : PHP: Multiple vulnerabilities NASL family SuSE Local Security Checks NASL id OPENSUSE-2013-604.NASL description - fixing the following security issues : - CVE-2013-4635.patch (bnc#828020) : - Integer overflow in the SdnToJewish - CVE-2013-1635.patch and CVE-2013-1643.patch (bnc#807707) : - reading system files via untrusted SOAP input - soap.wsdl_cache_dir function did not honour PHP open_basedir - CVE-2013-4113.patch (bnc#829207) : - heap corruption due to badly formed xml last seen 2020-06-05 modified 2014-06-13 plugin id 75096 published 2014-06-13 reporter This script is Copyright (C) 2014-2020 and is owned by Tenable, Inc. or an Affiliate thereof. source https://www.tenable.com/plugins/nessus/75096 title openSUSE Security Update : php5 (openSUSE-SU-2013:1244-1) NASL family Mandriva Local Security Checks NASL id MANDRIVA_MDVSA-2013-016.NASL description Multiple vulnerabilities has been discovered and corrected in php : PHP does not validate the configration directive soap.wsdl_cache_dir before writing SOAP wsdl cache files to the filesystem. Thus an attacker is able to write remote wsdl files to arbitrary locations (CVE-2013-1635). PHP allows the use of external entities while parsing SOAP wsdl files which allows an attacker to read arbitrary files. If a web application unserializes user-supplied data and tries to execute any method of it, an attacker can send serialized SoapClient object initialized in non-wsdl mode which will make PHP to parse automatically remote XML-document specified in the location option parameter (CVE-2013-1643). The updated packages have been upgraded to the 5.3.22 version which is not vulnerable to these issues. Additionally, some packages which requires so has been rebuilt for php-5.3.22. last seen 2020-06-01 modified 2020-06-02 plugin id 64942 published 2013-03-01 reporter This script is Copyright (C) 2013-2019 Tenable Network Security, Inc. source https://www.tenable.com/plugins/nessus/64942 title Mandriva Linux Security Advisory : php (MDVSA-2013:016) NASL family Oracle Linux Local Security Checks NASL id ORACLELINUX_ELSA-2013-1307.NASL description From Red Hat Security Advisory 2013:1307 : Updated php53 packages that fix multiple security issues, several bugs, and add one enhancement are now available for Red Hat Enterprise Linux 5. The Red Hat Security Response Team has rated this update as having moderate security impact. Common Vulnerability Scoring System (CVSS) base scores, which give detailed severity ratings, are available for each vulnerability from the CVE links in the References section. PHP is an HTML-embedded scripting language commonly used with the Apache HTTP Server. It was found that PHP did not properly handle file names with a NULL character. A remote attacker could possibly use this flaw to make a PHP script access unexpected files and bypass intended file system access restrictions. (CVE-2006-7243) It was found that PHP did not check for carriage returns in HTTP headers, allowing intended HTTP response splitting protections to be bypassed. Depending on the web browser the victim is using, a remote attacker could use this flaw to perform HTTP response splitting attacks. (CVE-2011-1398) A flaw was found in PHP last seen 2020-06-01 modified 2020-06-02 plugin id 70284 published 2013-10-03 reporter This script is Copyright (C) 2013-2019 and is owned by Tenable, Inc. or an Affiliate thereof. source https://www.tenable.com/plugins/nessus/70284 title Oracle Linux 5 : php53 (ELSA-2013-1307) NASL family CentOS Local Security Checks NASL id CENTOS_RHSA-2013-1615.NASL description Updated php packages that fix three security issues, several bugs, and add one enhancement are now available for Red Hat Enterprise Linux 6. The Red Hat Security Response Team has rated this update as having moderate security impact. Common Vulnerability Scoring System (CVSS) base scores, which give detailed severity ratings, are available for each vulnerability from the CVE links in the References section. PHP is an HTML-embedded scripting language commonly used with the Apache HTTP Server. It was found that PHP did not properly handle file names with a NULL character. A remote attacker could possibly use this flaw to make a PHP script access unexpected files and bypass intended file system access restrictions. (CVE-2006-7243) A flaw was found in PHP last seen 2020-06-01 modified 2020-06-02 plugin id 79167 published 2014-11-12 reporter This script is Copyright (C) 2014-2020 and is owned by Tenable, Inc. or an Affiliate thereof. source https://www.tenable.com/plugins/nessus/79167 title CentOS 6 : php (CESA-2013:1615) NASL family SuSE Local Security Checks NASL id SUSE_APACHE2-MOD_PHP5-8647.NASL description The following security issues have been fixed : - (bnc#828020): o Integer overflow in SdnToJewish(). (CVE-2013-4635) - (bnc#807707): o reading system files via untrusted SOAP input o soap.wsdl_cache_dir function did not honour PHP open_basedir. (CVE-2013-1635 / CVE-2013-1643) - (bnc#829207): o heap corruption due to badly formed xml. (CVE-2013-4113) last seen 2020-06-05 modified 2013-08-01 plugin id 69172 published 2013-08-01 reporter This script is Copyright (C) 2013-2020 Tenable Network Security, Inc. source https://www.tenable.com/plugins/nessus/69172 title SuSE 10 Security Update : PHP5 (ZYPP Patch Number 8647) NASL family Fedora Local Security Checks NASL id FEDORA_2013-3891.NASL description Upstream NEWS, 14 Mar 2012, PHP 5.4.13 Core : - Fixed bug #64235 (Insteadof not work for class method in 5.4.11). (Laruence) - Implemented FR #64175 (Added HTTP codes as of RFC 6585). (Jonh Wendell) - Fixed bug #64142 (dval to lval different behavior on ppc64). (Remi) - Fixed bug #64070 (Inheritance with Traits failed with error). (Dmitry) CLI server : - Fixed bug #64128 (buit-in web server is broken on ppc64). (Remi) Mbstring : - mb_split() can now handle empty matches like preg_split() does. (Moriyoshi) OpenSSL : - Fixed bug #61930 (openssl corrupts ssl key resource when using openssl_get_publickey()). (Stas) PDO_mysql : - Fixed bug #60840 (undefined symbol: mysqlnd_debug_std_no_trace_funcs). (Johannes) Phar : - Fixed timestamp update on Phar contents modification. (Dmitry) SOAP : - Added check that soap.wsdl_cache_dir conforms to open_basedir (CVE-2013-1635). (Dmitry) - Disabled external entities loading (CVE-2013-1643). (Dmitry) SPL : - Fixed bug #64264 (SPLFixedArray toArray problem). (Laruence) - Fixed bug #64228 (RecursiveDirectoryIterator always assumes SKIP_DOTS). (patch by kriss at krizalys.com, Laruence) - Fixed bug #64106 (Segfault on SplFixedArray[][x] = y when extended). (Nikita Popov) - Fixed bug #52861 (unset fails with ArrayObject and deep arrays). (Mike Willbanks) SNMP : - Fixed bug #64124 (IPv6 malformed). (Boris Lytochkin) Note that Tenable Network Security has extracted the preceding description block directly from the Fedora security advisory. Tenable has attempted to automatically clean and format it as much as possible without introducing additional issues. last seen 2020-03-17 modified 2013-04-03 plugin id 65773 published 2013-04-03 reporter This script is Copyright (C) 2013-2020 and is owned by Tenable, Inc. or an Affiliate thereof. source https://www.tenable.com/plugins/nessus/65773 title Fedora 18 : php-5.4.13-1.fc18 (2013-3891) NASL family Slackware Local Security Checks NASL id SLACKWARE_SSA_2013-081-01.NASL description New php packages are available for Slackware 12.1, 12.2, 13.0, 13.1, 13.37, 14.0, and -current to fix security issues. last seen 2020-06-01 modified 2020-06-02 plugin id 65660 published 2013-03-24 reporter This script is Copyright (C) 2013-2019 and is owned by Tenable, Inc. or an Affiliate thereof. source https://www.tenable.com/plugins/nessus/65660 title Slackware 12.1 / 12.2 / 13.0 / 13.1 / 13.37 / 14.0 / current : php (SSA:2013-081-01)
Redhat
| advisories |
| ||||||||
| rpms |
|
References
- https://bugzilla.redhat.com/show_bug.cgi?id=918187
- http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=702221
- https://bugs.gentoo.org/show_bug.cgi?id=459904
- http://www.debian.org/security/2013/dsa-2639
- http://www.ubuntu.com/usn/USN-1761-1
- http://lists.opensuse.org/opensuse-security-announce/2013-07/msg00034.html
- http://lists.opensuse.org/opensuse-security-announce/2013-08/msg00006.html
- http://lists.apple.com/archives/security-announce/2013/Sep/msg00002.html
- http://www.php.net/ChangeLog-5.php
- http://support.apple.com/kb/HT5880
- http://secunia.com/advisories/55078
- http://rhn.redhat.com/errata/RHSA-2013-1307.html
- http://rhn.redhat.com/errata/RHSA-2013-1615.html
- http://www.mandriva.com/security/advisories?name=MDVSA-2013:114
- https://wiki.mageia.org/en/Support/Advisories/MGASA-2013-0101
- http://git.php.net/?p=php-src.git%3Ba=commit%3Bh=8e76d0404b7f664ee6719fd98f0483f0ac4669d6