ID CVE-2013-1643
Summary The SOAP parser in PHP before 5.3.23 and 5.4.x before 5.4.13 allows remote attackers to read arbitrary files via a SOAP WSDL file containing an XML external entity declaration in conjunction with an entity reference, related to an XML External Entity (XXE) issue in the soap_xmlParseFile and soap_xmlParseMemory functions. NOTE: this vulnerability exists because of an incorrect fix for CVE-2013-1824.
References
Vulnerable Configurations
  • PHP 5.3.21
    cpe:2.3:a:php:php:5.3.21
  • PHP 5.3.20
    cpe:2.3:a:php:php:5.3.20
  • PHP 5.3.19
    cpe:2.3:a:php:php:5.3.19
  • PHP 5.3.18
    cpe:2.3:a:php:php:5.3.18
  • PHP 5.3.17
    cpe:2.3:a:php:php:5.3.17
  • PHP 5.3.16
    cpe:2.3:a:php:php:5.3.16
  • PHP 5.3.15
    cpe:2.3:a:php:php:5.3.15
  • PHP 5.3.14
    cpe:2.3:a:php:php:5.3.14
  • PHP 5.3.12
    cpe:2.3:a:php:php:5.3.12
  • PHP 5.3.8
    cpe:2.3:a:php:php:5.3.8
  • PHP 5.3.11
    cpe:2.3:a:php:php:5.3.11
  • PHP 5.3.4
    cpe:2.3:a:php:php:5.3.4
  • PHP 5.3.3
    cpe:2.3:a:php:php:5.3.3
  • PHP 5.3.0
    cpe:2.3:a:php:php:5.3.0
  • PHP 5.3.1
    cpe:2.3:a:php:php:5.3.1
  • PHP 5.3.7
    cpe:2.3:a:php:php:5.3.7
  • PHP 5.3.6
    cpe:2.3:a:php:php:5.3.6
  • PHP 5.3.5
    cpe:2.3:a:php:php:5.3.5
  • PHP 5.3.9
    cpe:2.3:a:php:php:5.3.9
  • PHP 5.3.13
    cpe:2.3:a:php:php:5.3.13
  • PHP 5.3.2
    cpe:2.3:a:php:php:5.3.2
  • PHP 5.3.10
    cpe:2.3:a:php:php:5.3.10
  • PHP 5.2.15
    cpe:2.3:a:php:php:5.2.15
  • PHP 5.2.9
    cpe:2.3:a:php:php:5.2.9
  • PHP 5.2.16
    cpe:2.3:a:php:php:5.2.16
  • PHP 5.2.12
    cpe:2.3:a:php:php:5.2.12
  • PHP 5.2.10
    cpe:2.3:a:php:php:5.2.10
  • PHP 5.2.13
    cpe:2.3:a:php:php:5.2.13
  • PHP 5.2.5
    cpe:2.3:a:php:php:5.2.5
  • PHP 5.2.11
    cpe:2.3:a:php:php:5.2.11
  • PHP 5.2.7
    cpe:2.3:a:php:php:5.2.7
  • PHP 5.2.0
    cpe:2.3:a:php:php:5.2.0
  • PHP 5.2.8
    cpe:2.3:a:php:php:5.2.8
  • PHP 5.2.6
    cpe:2.3:a:php:php:5.2.6
  • PHP 5.2.4
    cpe:2.3:a:php:php:5.2.4
  • PHP 5.2.3
    cpe:2.3:a:php:php:5.2.3
  • PHP 5.2.14
    cpe:2.3:a:php:php:5.2.14
  • PHP 5.2.1
    cpe:2.3:a:php:php:5.2.1
  • PHP 5.2.2
    cpe:2.3:a:php:php:5.2.2
  • PHP 5.2.17
    cpe:2.3:a:php:php:5.2.17
  • PHP PHP 5.1.3
    cpe:2.3:a:php:php:5.1.3
  • PHP PHP 5.1.2
    cpe:2.3:a:php:php:5.1.2
  • PHP PHP 5.1.1
    cpe:2.3:a:php:php:5.1.1
  • PHP PHP 5.1.0
    cpe:2.3:a:php:php:5.1.0
  • PHP PHP 5.1.6
    cpe:2.3:a:php:php:5.1.6
  • PHP 5.1.4
    cpe:2.3:a:php:php:5.1.4
  • PHP PHP 5.1.5
    cpe:2.3:a:php:php:5.1.5
  • PHP PHP 5.0.5
    cpe:2.3:a:php:php:5.0.5
  • PHP PHP 5.0.4
    cpe:2.3:a:php:php:5.0.4
  • PHP PHP 5.0.3
    cpe:2.3:a:php:php:5.0.3
  • PHP PHP 5.0.0 RC1
    cpe:2.3:a:php:php:5.0.0:rc1
  • PHP PHP 5.0.0 Beta4
    cpe:2.3:a:php:php:5.0.0:beta4
  • PHP PHP 5.0.0 Beta3
    cpe:2.3:a:php:php:5.0.0:beta3
  • PHP PHP 5.0.0 Beta2
    cpe:2.3:a:php:php:5.0.0:beta2
  • PHP PHP 5.0.2
    cpe:2.3:a:php:php:5.0.2
  • PHP PHP 5.0.1
    cpe:2.3:a:php:php:5.0.1
  • PHP PHP 5.0.0 RC3
    cpe:2.3:a:php:php:5.0.0:rc3
  • PHP PHP 5.0.0 RC2
    cpe:2.3:a:php:php:5.0.0:rc2
  • PHP PHP 5.0.0
    cpe:2.3:a:php:php:5.0.0
  • PHP PHP 5.0.0 Beta1
    cpe:2.3:a:php:php:5.0.0:beta1
  • PHP PHP 4.3.10
    cpe:2.3:a:php:php:4.3.10
  • PHP PHP 4.3.1
    cpe:2.3:a:php:php:4.3.1
  • PHP PHP 4.3.2
    cpe:2.3:a:php:php:4.3.2
  • PHP PHP 4.3.11
    cpe:2.3:a:php:php:4.3.11
  • PHP PHP 4.3.4
    cpe:2.3:a:php:php:4.3.4
  • PHP PHP 4.3.3
    cpe:2.3:a:php:php:4.3.3
  • PHP PHP 4.3.6
    cpe:2.3:a:php:php:4.3.6
  • PHP PHP 4.3.5
    cpe:2.3:a:php:php:4.3.5
  • PHP PHP 4.2.1
    cpe:2.3:a:php:php:4.2.1
  • PHP 4.4.8
    cpe:2.3:a:php:php:4.4.8
  • PHP PHP 4.2.0
    cpe:2.3:a:php:php:4.2.0
  • PHP 4.4.9
    cpe:2.3:a:php:php:4.4.9
  • PHP PHP 4.2.3
    cpe:2.3:a:php:php:4.2.3
  • PHP PHP 4.2.2
    cpe:2.3:a:php:php:4.2.2
  • PHP PHP 4.4.5
    cpe:2.3:a:php:php:4.4.5
  • PHP PHP 4.4.6
    cpe:2.3:a:php:php:4.4.6
  • PHP PHP 4.4.7
    cpe:2.3:a:php:php:4.4.7
  • PHP PHP 4.3.0
    cpe:2.3:a:php:php:4.3.0
  • PHP PHP 4.3.7
    cpe:2.3:a:php:php:4.3.7
  • PHP PHP 4.3.8
    cpe:2.3:a:php:php:4.3.8
  • PHP PHP 4.3.9
    cpe:2.3:a:php:php:4.3.9
  • PHP PHP 4.4.0
    cpe:2.3:a:php:php:4.4.0
  • PHP PHP 4.4.1
    cpe:2.3:a:php:php:4.4.1
  • PHP PHP 4.4.2
    cpe:2.3:a:php:php:4.4.2
  • PHP PHP 4.4.3
    cpe:2.3:a:php:php:4.4.3
  • PHP PHP 4.4.4
    cpe:2.3:a:php:php:4.4.4
  • PHP PHP 4.0 Beta 1
    cpe:2.3:a:php:php:4.0:beta1
  • PHP PHP 4.0 Beta 2
    cpe:2.3:a:php:php:4.0:beta2
  • PHP PHP 4.0.1
    cpe:2.3:a:php:php:4.0.1
  • PHP PHP 4.0.0
    cpe:2.3:a:php:php:4.0.0
  • PHP PHP 4.0 Beta 4 Patch Level 1
    cpe:2.3:a:php:php:4.0:beta_4_patch1
  • PHP PHP 4.0 Beta 3
    cpe:2.3:a:php:php:4.0:beta3
  • PHP PHP 4.0 Beta 4
    cpe:2.3:a:php:php:4.0:beta4
  • PHP PHP 4.0.6
    cpe:2.3:a:php:php:4.0.6
  • PHP PHP 4.0.5
    cpe:2.3:a:php:php:4.0.5
  • PHP PHP 4.0.4
    cpe:2.3:a:php:php:4.0.4
  • PHP PHP 4.0.3
    cpe:2.3:a:php:php:4.0.3
  • PHP PHP 4.0.2
    cpe:2.3:a:php:php:4.0.2
  • PHP PHP 4.1.2
    cpe:2.3:a:php:php:4.1.2
  • PHP PHP 4.1.1
    cpe:2.3:a:php:php:4.1.1
  • PHP PHP 4.1.0
    cpe:2.3:a:php:php:4.1.0
  • PHP PHP 4.0.7
    cpe:2.3:a:php:php:4.0.7
  • PHP PHP 3.0.11
    cpe:2.3:a:php:php:3.0.11
  • PHP PHP 3.0.10
    cpe:2.3:a:php:php:3.0.10
  • PHP PHP 3.0.13
    cpe:2.3:a:php:php:3.0.13
  • PHP PHP 3.0.12
    cpe:2.3:a:php:php:3.0.12
  • PHP PHP 3.0.1
    cpe:2.3:a:php:php:3.0.1
  • PHP PHP 3.0
    cpe:2.3:a:php:php:3.0
  • PHP PHP 3.0.2
    cpe:2.3:a:php:php:3.0.2
  • PHP PHP 3.0.18
    cpe:2.3:a:php:php:3.0.18
  • PHP PHP 3.0.4
    cpe:2.3:a:php:php:3.0.4
  • PHP PHP 3.0.3
    cpe:2.3:a:php:php:3.0.3
  • PHP PHP 3.0.15
    cpe:2.3:a:php:php:3.0.15
  • PHP PHP 3.0.14
    cpe:2.3:a:php:php:3.0.14
  • PHP PHP 3.0.17
    cpe:2.3:a:php:php:3.0.17
  • PHP PHP 3.0.16
    cpe:2.3:a:php:php:3.0.16
  • PHP PHP 3.0.9
    cpe:2.3:a:php:php:3.0.9
  • PHP PHP 3.0.7
    cpe:2.3:a:php:php:3.0.7
  • PHP PHP 3.0.8
    cpe:2.3:a:php:php:3.0.8
  • PHP PHP 3.0.5
    cpe:2.3:a:php:php:3.0.5
  • PHP PHP 3.0.6
    cpe:2.3:a:php:php:3.0.6
  • PHP PHP_FI 2.0b10
    cpe:2.3:a:php:php:2.0b10
  • PHP PHP_FI 2.0
    cpe:2.3:a:php:php:2.0
  • PHP PHP_FI 1.0
    cpe:2.3:a:php:php:1.0
  • PHP 5.4.4
    cpe:2.3:a:php:php:5.4.4
  • PHP 5.4.3
    cpe:2.3:a:php:php:5.4.3
  • PHP 5.4.0
    cpe:2.3:a:php:php:5.4.0
  • PHP 5.4.1
    cpe:2.3:a:php:php:5.4.1
  • PHP 5.4.2
    cpe:2.3:a:php:php:5.4.2
  • PHP 5.4.12
    cpe:2.3:a:php:php:5.4.12
  • PHP 5.4.11
    cpe:2.3:a:php:php:5.4.11
  • PHP 5.4.10
    cpe:2.3:a:php:php:5.4.10
  • PHP 5.4.9
    cpe:2.3:a:php:php:5.4.9
  • PHP 5.4.8
    cpe:2.3:a:php:php:5.4.8
  • PHP 5.4.7
    cpe:2.3:a:php:php:5.4.7
  • PHP 5.4.6
    cpe:2.3:a:php:php:5.4.6
  • PHP 5.4.5
    cpe:2.3:a:php:php:5.4.5
CVSS
Base: 5.0 (as of 06-03-2013 - 12:42)
Impact:
Exploitability:
CWE CWE-200
CAPEC
  • Subverting Environment Variable Values
    The attacker directly or indirectly modifies environment variables used by or controlling the target software. The attacker's goal is to cause the target software to deviate from its expected operation in a manner that benefits the attacker.
  • Footprinting
    An attacker engages in probing and exploration activity to identify constituents and properties of the target. Footprinting is a general term to describe a variety of information gathering techniques, often used by attackers in preparation for some attack. It consists of using tools to learn as much as possible about the composition, configuration, and security mechanisms of the targeted application, system or network. Information that might be collected during a footprinting effort could include open ports, applications and their versions, network topology, and similar information. While footprinting is not intended to be damaging (although certain activities, such as network scans, can sometimes cause disruptions to vulnerable applications inadvertently) it may often pave the way for more damaging attacks.
  • Exploiting Trust in Client (aka Make the Client Invisible)
    An attack of this type exploits a programs' vulnerabilities in client/server communication channel authentication and data integrity. It leverages the implicit trust a server places in the client, or more importantly, that which the server believes is the client. An attacker executes this type of attack by placing themselves in the communication channel between client and server such that communication directly to the server is possible where the server believes it is communicating only with a valid client. There are numerous variations of this type of attack.
  • Browser Fingerprinting
    An attacker carefully crafts small snippets of Java Script to efficiently detect the type of browser the potential victim is using. Many web-based attacks need prior knowledge of the web browser including the version of browser to ensure successful exploitation of a vulnerability. Having this knowledge allows an attacker to target the victim with attacks that specifically exploit known or zero day weaknesses in the type and version of the browser used by the victim. Automating this process via Java Script as a part of the same delivery system used to exploit the browser is considered more efficient as the attacker can supply a browser fingerprinting method and integrate it with exploit code, all contained in Java Script and in response to the same web page request by the browser.
  • Session Credential Falsification through Prediction
    This attack targets predictable session ID in order to gain privileges. The attacker can predict the session ID used during a transaction to perform spoofing and session hijacking.
  • Reusing Session IDs (aka Session Replay)
    This attack targets the reuse of valid session ID to spoof the target system in order to gain privileges. The attacker tries to reuse a stolen session ID used previously during a transaction to perform spoofing and session hijacking. Another name for this type of attack is Session Replay.
  • Using Slashes in Alternate Encoding
    This attack targets the encoding of the Slash characters. An attacker would try to exploit common filtering problems related to the use of the slashes characters to gain access to resources on the target host. Directory-driven systems, such as file systems and databases, typically use the slash character to indicate traversal between directories or other container components. For murky historical reasons, PCs (and, as a result, Microsoft OSs) choose to use a backslash, whereas the UNIX world typically makes use of the forward slash. The schizophrenic result is that many MS-based systems are required to understand both forms of the slash. This gives the attacker many opportunities to discover and abuse a number of common filtering problems. The goal of this pattern is to discover server software that only applies filters to one version, but not the other.
Access
VectorComplexityAuthentication
NETWORK LOW NONE
Impact
ConfidentialityIntegrityAvailability
PARTIAL NONE NONE
nessus via4
  • NASL family SuSE Local Security Checks
    NASL id OPENSUSE-2013-604.NASL
    description - fixing the following security issues : - CVE-2013-4635.patch (bnc#828020) : - Integer overflow in the SdnToJewish - CVE-2013-1635.patch and CVE-2013-1643.patch (bnc#807707) : - reading system files via untrusted SOAP input - soap.wsdl_cache_dir function did not honour PHP open_basedir - CVE-2013-4113.patch (bnc#829207) : - heap corruption due to badly formed xml
    last seen 2019-02-21
    modified 2018-11-10
    plugin id 75096
    published 2014-06-13
    reporter Tenable
    source https://www.tenable.com/plugins/index.php?view=single&id=75096
    title openSUSE Security Update : php5 (openSUSE-SU-2013:1244-1)
  • NASL family Gentoo Local Security Checks
    NASL id GENTOO_GLSA-201408-11.NASL
    description The remote host is affected by the vulnerability described in GLSA-201408-11 (PHP: Multiple vulnerabilities) Multiple vulnerabilities have been discovered in PHP. Please review the CVE identifiers referenced below for details. Impact : A context-dependent attacker can cause arbitrary code execution, create a Denial of Service condition, read or write arbitrary files, impersonate other servers, hijack a web session, or have other unspecified impact. Additionally, a local attacker could gain escalated privileges. Workaround : There is no known workaround at this time.
    last seen 2019-02-21
    modified 2018-07-12
    plugin id 77455
    published 2014-08-30
    reporter Tenable
    source https://www.tenable.com/plugins/index.php?view=single&id=77455
    title GLSA-201408-11 : PHP: Multiple vulnerabilities
  • NASL family MacOS X Local Security Checks
    NASL id MACOSX_SECUPD2013-004.NASL
    description The remote host is running a version of Mac OS X 10.6 or 10.7 that does not have Security Update 2013-004 applied. This update contains several security-related fixes for the following component : - Apache - Bind - Certificate Trust Policy - ClamAV - Installer - IPSec - Mobile Device Management - OpenSSL - PHP - PostgreSQL - QuickTime - sudo Note that successful exploitation of the most serious issues could result in arbitrary code execution.
    last seen 2019-02-21
    modified 2018-07-14
    plugin id 69878
    published 2013-09-13
    reporter Tenable
    source https://www.tenable.com/plugins/index.php?view=single&id=69878
    title Mac OS X Multiple Vulnerabilities (Security Update 2013-004)
  • NASL family MacOS X Local Security Checks
    NASL id MACOSX_10_8_5.NASL
    description The remote host is running a version of Mac OS X 10.8.x that is prior to 10.8.5. The newer version contains multiple security-related fixes for the following components : - Apache - Bind - Certificate Trust Policy - CoreGraphics - ImageIO - Installer - IPSec - Kernel - Mobile Device Management - OpenSSL - PHP - PostgreSQL - Power Management - QuickTime - Screen Lock - sudo This update also addresses an issue in which certain Unicode strings could cause applications to unexpectedly quit. Note that successful exploitation of the most serious issues could result in arbitrary code execution.
    last seen 2019-02-21
    modified 2018-07-14
    plugin id 69877
    published 2013-09-13
    reporter Tenable
    source https://www.tenable.com/plugins/index.php?view=single&id=69877
    title Mac OS X 10.8.x < 10.8.5 Multiple Vulnerabilities
  • NASL family CGI abuses
    NASL id PHP_5_3_22.NASL
    description According to its banner, the version of PHP 5.3.x installed on the remote host is prior to 5.3.22. It is, therefore, potentially affected by the following vulnerabilities : - An error exists in the file 'ext/soap/soap.c' related to the 'soap.wsdl_cache_dir' configuration directive and writing cache files that could allow remote 'wsdl' files to be written to arbitrary locations. (CVE-2013-1635) - An error exists in the file 'ext/soap/php_xml.c' related to parsing SOAP 'wsdl' files and external entities that could cause PHP to parse remote XML documents defined by an attacker. This could allow access to arbitrary files. (CVE-2013-1643) Note that this plugin does not attempt to exploit the vulnerabilities but, instead relies only on PHP's self-reported version number.
    last seen 2019-02-21
    modified 2018-09-17
    plugin id 64992
    published 2013-03-04
    reporter Tenable
    source https://www.tenable.com/plugins/index.php?view=single&id=64992
    title PHP 5.3.x < 5.3.22 Multiple Vulnerabilities
  • NASL family Debian Local Security Checks
    NASL id DEBIAN_DSA-2639.NASL
    description Several vulnerabilities have been discovered in PHP, the web scripting language. The Common Vulnerabilities and Exposures project identifies the following issues : - CVE-2013-1635 If a PHP application accepted untrusted SOAP object input remotely from clients, an attacker could read system files readable for the webserver. - CVE-2013-1643 The soap.wsdl_cache_dir function did not take PHP open_basedir restrictions into account. Note that Debian advises against relying on open_basedir restrictions for security.
    last seen 2019-02-21
    modified 2018-11-10
    plugin id 65033
    published 2013-03-06
    reporter Tenable
    source https://www.tenable.com/plugins/index.php?view=single&id=65033
    title Debian DSA-2639-1 : php5 - several vulnerabilities
  • NASL family Mandriva Local Security Checks
    NASL id MANDRIVA_MDVSA-2013-016.NASL
    description Multiple vulnerabilities has been discovered and corrected in php : PHP does not validate the configration directive soap.wsdl_cache_dir before writing SOAP wsdl cache files to the filesystem. Thus an attacker is able to write remote wsdl files to arbitrary locations (CVE-2013-1635). PHP allows the use of external entities while parsing SOAP wsdl files which allows an attacker to read arbitrary files. If a web application unserializes user-supplied data and tries to execute any method of it, an attacker can send serialized SoapClient object initialized in non-wsdl mode which will make PHP to parse automatically remote XML-document specified in the location option parameter (CVE-2013-1643). The updated packages have been upgraded to the 5.3.22 version which is not vulnerable to these issues. Additionally, some packages which requires so has been rebuilt for php-5.3.22.
    last seen 2019-02-21
    modified 2018-07-19
    plugin id 64942
    published 2013-03-01
    reporter Tenable
    source https://www.tenable.com/plugins/index.php?view=single&id=64942
    title Mandriva Linux Security Advisory : php (MDVSA-2013:016)
  • NASL family Scientific Linux Local Security Checks
    NASL id SL_20131121_PHP_ON_SL6_X.NASL
    description It was found that PHP did not properly handle file names with a NULL character. A remote attacker could possibly use this flaw to make a PHP script access unexpected files and bypass intended file system access restrictions. (CVE-2006-7243) A flaw was found in PHP's SSL client's hostname identity check when handling certificates that contain hostnames with NULL bytes. If an attacker was able to get a carefully crafted certificate signed by a trusted Certificate Authority, the attacker could use the certificate to conduct man-in-the-middle attacks to spoof SSL servers. (CVE-2013-4248) It was found that the PHP SOAP parser allowed the expansion of external XML entities during SOAP message parsing. A remote attacker could possibly use this flaw to read arbitrary files that are accessible to a PHP application using a SOAP extension. (CVE-2013-1643) This update fixes the following bugs : - Previously, when the allow_call_time_pass_reference setting was disabled, a virtual host on the Apache server could terminate with a segmentation fault when attempting to process certain PHP content. This bug has been fixed and virtual hosts no longer crash when allow_call_time_pass_reference is off. - Prior to this update, if an error occurred during the operation of the fclose(), file_put_contents(), or copy() function, the function did not report it. This could have led to data loss. With this update, the aforementioned functions have been modified to properly report any errors. - The internal buffer for the SQLSTATE error code can store maximum of 5 characters. Previously, when certain calls exceeded this limit, a buffer overflow occurred. With this update, messages longer than 5 characters are automatically replaced with the default 'HY000' string, thus preventing the overflow. In addition, this update adds the following enhancement : - This update adds the following rpm macros to the php package: %__php, %php_inidir, %php_incldir. After installing the updated packages, the httpd daemon must be restarted for the update to take effect.
    last seen 2019-02-21
    modified 2018-12-31
    plugin id 71198
    published 2013-12-04
    reporter Tenable
    source https://www.tenable.com/plugins/index.php?view=single&id=71198
    title Scientific Linux Security Update : php on SL6.x i386/x86_64
  • NASL family Red Hat Local Security Checks
    NASL id REDHAT-RHSA-2013-1307.NASL
    description Updated php53 packages that fix multiple security issues, several bugs, and add one enhancement are now available for Red Hat Enterprise Linux 5. The Red Hat Security Response Team has rated this update as having moderate security impact. Common Vulnerability Scoring System (CVSS) base scores, which give detailed severity ratings, are available for each vulnerability from the CVE links in the References section. PHP is an HTML-embedded scripting language commonly used with the Apache HTTP Server. It was found that PHP did not properly handle file names with a NULL character. A remote attacker could possibly use this flaw to make a PHP script access unexpected files and bypass intended file system access restrictions. (CVE-2006-7243) It was found that PHP did not check for carriage returns in HTTP headers, allowing intended HTTP response splitting protections to be bypassed. Depending on the web browser the victim is using, a remote attacker could use this flaw to perform HTTP response splitting attacks. (CVE-2011-1398) A flaw was found in PHP's SSL client's hostname identity check when handling certificates that contain hostnames with NULL bytes. If an attacker was able to get a carefully crafted certificate signed by a trusted Certificate Authority, the attacker could use the certificate to conduct man-in-the-middle attacks to spoof SSL servers. (CVE-2013-4248) An integer signedness issue, leading to a heap-based buffer underflow, was found in the PHP scandir() function. If a remote attacker could upload an excessively large number of files to a directory the scandir() function runs on, it could cause the PHP interpreter to crash or, possibly, execute arbitrary code. (CVE-2012-2688) It was found that PHP did not correctly handle the magic_quotes_gpc configuration directive. This could result in magic_quotes_gpc input escaping not being applied in all cases, possibly making it easier for a remote attacker to perform SQL injection attacks. (CVE-2012-0831) It was found that the PHP SOAP parser allowed the expansion of external XML entities during SOAP message parsing. A remote attacker could possibly use this flaw to read arbitrary files that are accessible to a PHP application using a SOAP extension. (CVE-2013-1643) These updated php53 packages also include numerous bug fixes and enhancements. Space precludes documenting all of these changes in this advisory. Users are directed to the Red Hat Enterprise Linux 5.10 Technical Notes, linked to in the References, for information on the most significant of these changes. All PHP users are advised to upgrade to these updated packages, which contain backported patches to correct these issues and add this enhancement. After installing the updated packages, the httpd daemon must be restarted for the update to take effect.
    last seen 2019-02-21
    modified 2018-11-10
    plugin id 70244
    published 2013-10-01
    reporter Tenable
    source https://www.tenable.com/plugins/index.php?view=single&id=70244
    title RHEL 5 : php53 (RHSA-2013:1307)
  • NASL family SuSE Local Security Checks
    NASL id SUSE_11_APACHE2-MOD_PHP53-130717.NASL
    description The following security issues have been fixed : - (bnc#828020):. (CVE-2013-4635) - Integer overflow in SdnToJewish() - (bnc#829207):. (CVE-2013-4113) - heap corruption due to badly formed xml
    last seen 2018-09-02
    modified 2017-07-20
    plugin id 69295
    published 2013-08-10
    reporter Tenable
    source https://www.tenable.com/plugins/index.php?view=single&id=69295
    title SuSE 11.2 / 11.3 Security Update : PHP5 (SAT Patch Numbers 8087 / 8088)
  • NASL family SuSE Local Security Checks
    NASL id SUSE_11_APACHE2-MOD_PHP5-130718.NASL
    description The following security issues have been fixed : - (bnc#828020):. (CVE-2013-4635) - Integer overflow in SdnToJewish() - (bnc#807707):. (CVE-2013-1635 / CVE-2013-1643) - reading system files via untrusted SOAP input - soap.wsdl_cache_dir function did not honour PHP open_basedir - (bnc#829207):. (CVE-2013-4113) - heap corruption due to badly formed xml
    last seen 2019-02-21
    modified 2017-07-20
    plugin id 69294
    published 2013-08-10
    reporter Tenable
    source https://www.tenable.com/plugins/index.php?view=single&id=69294
    title SuSE 11.2 Security Update : PHP5 (SAT Patch Number 8086)
  • NASL family CGI abuses
    NASL id PHP_5_4_13.NASL
    description According to its banner, the version of PHP 5.4.x installed on the remote host is prior to 5.4.13. It is, therefore, potentially affected by an information disclosure vulnerability. The 5.4.12 fix for CVE-2013-1635 / CVE-2013-1643 was incomplete and an error still exists in the files 'ext/soap/php_xml.c' and 'ext/libxml/libxml.c' related to handling external entities. This error could cause PHP to parse remote XML documents defined by an attacker and could allow access to arbitraryfiles. Note that this plugin does not attempt to exploit the vulnerability, but instead relies only on PHP's self-reported version number.
    last seen 2019-02-21
    modified 2019-01-03
    plugin id 66585
    published 2013-05-24
    reporter Tenable
    source https://www.tenable.com/plugins/index.php?view=single&id=66585
    title PHP 5.4.x < 5.4.13 Information Disclosure
  • NASL family Fedora Local Security Checks
    NASL id FEDORA_2013-3891.NASL
    description Upstream NEWS, 14 Mar 2012, PHP 5.4.13 Core : - Fixed bug #64235 (Insteadof not work for class method in 5.4.11). (Laruence) - Implemented FR #64175 (Added HTTP codes as of RFC 6585). (Jonh Wendell) - Fixed bug #64142 (dval to lval different behavior on ppc64). (Remi) - Fixed bug #64070 (Inheritance with Traits failed with error). (Dmitry) CLI server : - Fixed bug #64128 (buit-in web server is broken on ppc64). (Remi) Mbstring : - mb_split() can now handle empty matches like preg_split() does. (Moriyoshi) OpenSSL : - Fixed bug #61930 (openssl corrupts ssl key resource when using openssl_get_publickey()). (Stas) PDO_mysql : - Fixed bug #60840 (undefined symbol: mysqlnd_debug_std_no_trace_funcs). (Johannes) Phar : - Fixed timestamp update on Phar contents modification. (Dmitry) SOAP : - Added check that soap.wsdl_cache_dir conforms to open_basedir (CVE-2013-1635). (Dmitry) - Disabled external entities loading (CVE-2013-1643). (Dmitry) SPL : - Fixed bug #64264 (SPLFixedArray toArray problem). (Laruence) - Fixed bug #64228 (RecursiveDirectoryIterator always assumes SKIP_DOTS). (patch by kriss at krizalys.com, Laruence) - Fixed bug #64106 (Segfault on SplFixedArray[][x] = y when extended). (Nikita Popov) - Fixed bug #52861 (unset fails with ArrayObject and deep arrays). (Mike Willbanks) SNMP : - Fixed bug #64124 (IPv6 malformed). (Boris Lytochkin) Note that Tenable Network Security has extracted the preceding description block directly from the Fedora security advisory. Tenable has attempted to automatically clean and format it as much as possible without introducing additional issues.
    last seen 2019-02-21
    modified 2018-12-05
    plugin id 65773
    published 2013-04-03
    reporter Tenable
    source https://www.tenable.com/plugins/index.php?view=single&id=65773
    title Fedora 18 : php-5.4.13-1.fc18 (2013-3891)
  • NASL family FreeBSD Local Security Checks
    NASL id FREEBSD_PKG_1D23109A900511E29602D43D7E0C7C02.NASL
    description The PHP development team reports : PHP does not validate the relationship between the soap.wsdl_cache_dir directive and the open_basedir directive, which allows remote attackers to bypass intended access restrictions by triggering the creation of cached SOAP WSDL files in an arbitrary directory. The SOAP parser in PHP allows remote attackers to read arbitrary files via a SOAP WSDL file containing an XML external entity declaration in conjunction with an entity reference, related to an XML External Entity (XXE) issue in the soap_xmlParseFile and soap_xmlParseMemory functions.
    last seen 2019-02-21
    modified 2018-11-10
    plugin id 65623
    published 2013-03-20
    reporter Tenable
    source https://www.tenable.com/plugins/index.php?view=single&id=65623
    title FreeBSD : php5 -- Multiple vulnerabilities (1d23109a-9005-11e2-9602-d43d7e0c7c02)
  • NASL family Solaris Local Security Checks
    NASL id SOLARIS11_PHP_20140401.NASL
    description The remote Solaris system is missing necessary patches to address security updates : - Session fixation vulnerability in the Sessions subsystem in PHP before 5.5.2 allows remote attackers to hijack web sessions by specifying a session ID. (CVE-2011-4718) - Unspecified vulnerability in the _php_stream_scandir function in the stream implementation in PHP before 5.3.15 and 5.4.x before 5.4.5 has unknown impact and remote attack vectors, related to an 'overflow.' (CVE-2012-2688) - The SQLite functionality in PHP before 5.3.15 allows remote attackers to bypass the open_basedir protection mechanism via unspecified vectors. (CVE-2012-3365) - ext/soap/soap.c in PHP before 5.3.22 and 5.4.x before 5.4.13 does not validate the relationship between the soap.wsdl_cache_dir directive and the open_basedir directive, which allows remote attackers to bypass intended access restrictions by triggering the creation of cached SOAP WSDL files in an arbitrary directory. (CVE-2013-1635) - The SOAP parser in PHP before 5.3.23 and 5.4.x before 5.4.13 allows remote attackers to read arbitrary files via a SOAP WSDL file containing an XML external entity declaration in conjunction with an entity reference, related to an XML External Entity (XXE) issue in the soap_xmlParseFile and soap_xmlParseMemory functions. NOTE: this vulnerability exists because of an incorrect fix for CVE-2013-1824. (CVE-2013-1643) - Heap-based buffer overflow in the php_quot_print_encode function in ext/ standard/quot_print.c in PHP before 5.3.26 and 5.4.x before 5.4.16 allows remote attackers to cause a denial of service (application crash) or possibly have unspecified other impact via a crafted argument to the quoted_printable_encode function. (CVE-2013-2110) - ext/xml/xml.c in PHP before 5.3.27 does not properly consider parsing depth, which allows remote attackers to cause a denial of service (heap memory corruption) or possibly have unspecified other impact via a crafted document that is processed by the xml_parse_into_struct function. (CVE-2013-4113) - The openssl_x509_parse function in openssl.c in the OpenSSL module in PHP before 5.4.18 and 5.5.x before 5.5.2 does not properly handle a '\0' character in a domain name in the Subject Alternative Name field of an X.509 certificate, which allows man-in-the-middle attackers to spoof arbitrary SSL servers via a crafted certificate issued by a legitimate Certification Authority, a related issue to CVE-2009-2408. (CVE-2013-4248) - Integer overflow in the SdnToJewish function in jewish.c in the Calendar component in PHP before 5.3.26 and 5.4.x before 5.4.16 allows context-dependent attackers to cause a denial of service (application hang) via a large argument to the jdtojewish function. (CVE-2013-4635) - The mget function in libmagic/softmagic.c in the Fileinfo component in PHP 5.4.x before 5.4.16 allows remote attackers to cause a denial of service (invalid pointer dereference and application crash) via an MP3 file that triggers incorrect MIME type detection during access to an finfo object. (CVE-2013-4636)
    last seen 2019-02-21
    modified 2018-11-15
    plugin id 80736
    published 2015-01-19
    reporter Tenable
    source https://www.tenable.com/plugins/index.php?view=single&id=80736
    title Oracle Solaris Third-Party Patch Update : php (cve_2013_4113_buffer_errors)
  • NASL family Ubuntu Local Security Checks
    NASL id UBUNTU_USN-1761-1.NASL
    description It was discovered that PHP incorrectly handled XML external entities in SOAP WSDL files. A remote attacker could use this flaw to read arbitrary files off the server. Note that Tenable Network Security has extracted the preceding description block directly from the Ubuntu security advisory. Tenable has attempted to automatically clean and format it as much as possible without introducing additional issues.
    last seen 2019-02-21
    modified 2018-12-01
    plugin id 65547
    published 2013-03-14
    reporter Tenable
    source https://www.tenable.com/plugins/index.php?view=single&id=65547
    title Ubuntu 8.04 LTS / 10.04 LTS / 11.10 / 12.04 LTS / 12.10 : php5 vulnerability (USN-1761-1)
  • NASL family CentOS Local Security Checks
    NASL id CENTOS_RHSA-2013-1615.NASL
    description Updated php packages that fix three security issues, several bugs, and add one enhancement are now available for Red Hat Enterprise Linux 6. The Red Hat Security Response Team has rated this update as having moderate security impact. Common Vulnerability Scoring System (CVSS) base scores, which give detailed severity ratings, are available for each vulnerability from the CVE links in the References section. PHP is an HTML-embedded scripting language commonly used with the Apache HTTP Server. It was found that PHP did not properly handle file names with a NULL character. A remote attacker could possibly use this flaw to make a PHP script access unexpected files and bypass intended file system access restrictions. (CVE-2006-7243) A flaw was found in PHP's SSL client's hostname identity check when handling certificates that contain hostnames with NULL bytes. If an attacker was able to get a carefully crafted certificate signed by a trusted Certificate Authority, the attacker could use the certificate to conduct man-in-the-middle attacks to spoof SSL servers. (CVE-2013-4248) It was found that the PHP SOAP parser allowed the expansion of external XML entities during SOAP message parsing. A remote attacker could possibly use this flaw to read arbitrary files that are accessible to a PHP application using a SOAP extension. (CVE-2013-1643) This update fixes the following bugs : * Previously, when the allow_call_time_pass_reference setting was disabled, a virtual host on the Apache server could terminate with a segmentation fault when attempting to process certain PHP content. This bug has been fixed and virtual hosts no longer crash when allow_call_time_pass_reference is off. (BZ#892158, BZ#910466) * Prior to this update, if an error occurred during the operation of the fclose(), file_put_contents(), or copy() function, the function did not report it. This could have led to data loss. With this update, the aforementioned functions have been modified to properly report any errors. (BZ#947429) * The internal buffer for the SQLSTATE error code can store maximum of 5 characters. Previously, when certain calls exceeded this limit, a buffer overflow occurred. With this update, messages longer than 5 characters are automatically replaced with the default 'HY000' string, thus preventing the overflow. (BZ#969110) In addition, this update adds the following enhancement : * This update adds the following rpm macros to the php package: %__php, %php_inidir, %php_incldir. (BZ#953814) Users of php are advised to upgrade to these updated packages, which fix these bugs and add this enhancement. After installing the updated packages, the httpd daemon must be restarted for the update to take effect.
    last seen 2019-02-21
    modified 2018-11-10
    plugin id 79167
    published 2014-11-12
    reporter Tenable
    source https://www.tenable.com/plugins/index.php?view=single&id=79167
    title CentOS 6 : php (CESA-2013:1615)
  • NASL family SuSE Local Security Checks
    NASL id SUSE_APACHE2-MOD_PHP5-8647.NASL
    description The following security issues have been fixed : - (bnc#828020): o Integer overflow in SdnToJewish(). (CVE-2013-4635) - (bnc#807707): o reading system files via untrusted SOAP input o soap.wsdl_cache_dir function did not honour PHP open_basedir. (CVE-2013-1635 / CVE-2013-1643) - (bnc#829207): o heap corruption due to badly formed xml. (CVE-2013-4113)
    last seen 2019-02-21
    modified 2017-07-20
    plugin id 69172
    published 2013-08-01
    reporter Tenable
    source https://www.tenable.com/plugins/index.php?view=single&id=69172
    title SuSE 10 Security Update : PHP5 (ZYPP Patch Number 8647)
  • NASL family SuSE Local Security Checks
    NASL id SUSE_11_APACHE2-MOD_PHP53-130718.NASL
    description The following security issues have been fixed : - (bnc#828020):. (CVE-2013-4635) - Integer overflow in SdnToJewish() - (bnc#829207):. (CVE-2013-4113) - heap corruption due to badly formed xml
    last seen 2018-09-01
    modified 2017-07-20
    plugin id 69296
    published 2013-08-10
    reporter Tenable
    source https://www.tenable.com/plugins/index.php?view=single&id=69296
    title SuSE 11.2 / 11.3 Security Update : PHP5 (SAT Patch Numbers 8087 / 8088)
  • NASL family Slackware Local Security Checks
    NASL id SLACKWARE_SSA_2013-081-01.NASL
    description New php packages are available for Slackware 12.1, 12.2, 13.0, 13.1, 13.37, 14.0, and -current to fix security issues.
    last seen 2019-02-21
    modified 2019-01-02
    plugin id 65660
    published 2013-03-24
    reporter Tenable
    source https://www.tenable.com/plugins/index.php?view=single&id=65660
    title Slackware 12.1 / 12.2 / 13.0 / 13.1 / 13.37 / 14.0 / current : php (SSA:2013-081-01)
  • NASL family Oracle Linux Local Security Checks
    NASL id ORACLELINUX_ELSA-2013-1307.NASL
    description From Red Hat Security Advisory 2013:1307 : Updated php53 packages that fix multiple security issues, several bugs, and add one enhancement are now available for Red Hat Enterprise Linux 5. The Red Hat Security Response Team has rated this update as having moderate security impact. Common Vulnerability Scoring System (CVSS) base scores, which give detailed severity ratings, are available for each vulnerability from the CVE links in the References section. PHP is an HTML-embedded scripting language commonly used with the Apache HTTP Server. It was found that PHP did not properly handle file names with a NULL character. A remote attacker could possibly use this flaw to make a PHP script access unexpected files and bypass intended file system access restrictions. (CVE-2006-7243) It was found that PHP did not check for carriage returns in HTTP headers, allowing intended HTTP response splitting protections to be bypassed. Depending on the web browser the victim is using, a remote attacker could use this flaw to perform HTTP response splitting attacks. (CVE-2011-1398) A flaw was found in PHP's SSL client's hostname identity check when handling certificates that contain hostnames with NULL bytes. If an attacker was able to get a carefully crafted certificate signed by a trusted Certificate Authority, the attacker could use the certificate to conduct man-in-the-middle attacks to spoof SSL servers. (CVE-2013-4248) An integer signedness issue, leading to a heap-based buffer underflow, was found in the PHP scandir() function. If a remote attacker could upload an excessively large number of files to a directory the scandir() function runs on, it could cause the PHP interpreter to crash or, possibly, execute arbitrary code. (CVE-2012-2688) It was found that PHP did not correctly handle the magic_quotes_gpc configuration directive. This could result in magic_quotes_gpc input escaping not being applied in all cases, possibly making it easier for a remote attacker to perform SQL injection attacks. (CVE-2012-0831) It was found that the PHP SOAP parser allowed the expansion of external XML entities during SOAP message parsing. A remote attacker could possibly use this flaw to read arbitrary files that are accessible to a PHP application using a SOAP extension. (CVE-2013-1643) These updated php53 packages also include numerous bug fixes and enhancements. Space precludes documenting all of these changes in this advisory. Users are directed to the Red Hat Enterprise Linux 5.10 Technical Notes, linked to in the References, for information on the most significant of these changes. All PHP users are advised to upgrade to these updated packages, which contain backported patches to correct these issues and add this enhancement. After installing the updated packages, the httpd daemon must be restarted for the update to take effect.
    last seen 2019-02-21
    modified 2018-07-18
    plugin id 70284
    published 2013-10-03
    reporter Tenable
    source https://www.tenable.com/plugins/index.php?view=single&id=70284
    title Oracle Linux 5 : php53 (ELSA-2013-1307)
  • NASL family Scientific Linux Local Security Checks
    NASL id SL_20130930_PHP53_ON_SL5_X.NASL
    description It was found that PHP did not properly handle file names with a NULL character. A remote attacker could possibly use this flaw to make a PHP script access unexpected files and bypass intended file system access restrictions. (CVE-2006-7243) It was found that PHP did not check for carriage returns in HTTP headers, allowing intended HTTP response splitting protections to be bypassed. Depending on the web browser the victim is using, a remote attacker could use this flaw to perform HTTP response splitting attacks. (CVE-2011-1398) A flaw was found in PHP's SSL client's hostname identity check when handling certificates that contain hostnames with NULL bytes. If an attacker was able to get a carefully crafted certificate signed by a trusted Certificate Authority, the attacker could use the certificate to conduct man-in-the-middle attacks to spoof SSL servers. (CVE-2013-4248) An integer signedness issue, leading to a heap-based buffer underflow, was found in the PHP scandir() function. If a remote attacker could upload an excessively large number of files to a directory the scandir() function runs on, it could cause the PHP interpreter to crash or, possibly, execute arbitrary code. (CVE-2012-2688) It was found that PHP did not correctly handle the magic_quotes_gpc configuration directive. This could result in magic_quotes_gpc input escaping not being applied in all cases, possibly making it easier for a remote attacker to perform SQL injection attacks. (CVE-2012-0831) It was found that the PHP SOAP parser allowed the expansion of external XML entities during SOAP message parsing. A remote attacker could possibly use this flaw to read arbitrary files that are accessible to a PHP application using a SOAP extension. (CVE-2013-1643) After installing the updated packages, the httpd daemon must be restarted for the update to take effect.
    last seen 2019-02-21
    modified 2018-12-31
    plugin id 70389
    published 2013-10-11
    reporter Tenable
    source https://www.tenable.com/plugins/index.php?view=single&id=70389
    title Scientific Linux Security Update : php53 on SL5.x i386/x86_64
  • NASL family CentOS Local Security Checks
    NASL id CENTOS_RHSA-2013-1814.NASL
    description Updated php packages that fix multiple security issues are now available for Red Hat Enterprise Linux 5. The Red Hat Security Response Team has rated this update as having critical security impact. Common Vulnerability Scoring System (CVSS) base scores, which give detailed severity ratings, are available for each vulnerability from the CVE links in the References section. PHP is an HTML-embedded scripting language commonly used with the Apache HTTP Server. A memory corruption flaw was found in the way the openssl_x509_parse() function of the PHP openssl extension parsed X.509 certificates. A remote attacker could use this flaw to provide a malicious self-signed certificate or a certificate signed by a trusted authority to a PHP application using the aforementioned function, causing the application to crash or, possibly, allow the attacker to execute arbitrary code with the privileges of the user running the PHP interpreter. (CVE-2013-6420) It was found that PHP did not check for carriage returns in HTTP headers, allowing intended HTTP response splitting protections to be bypassed. Depending on the web browser the victim is using, a remote attacker could use this flaw to perform HTTP response splitting attacks. (CVE-2011-1398) An integer signedness issue, leading to a heap-based buffer underflow, was found in the PHP scandir() function. If a remote attacker could upload an excessively large number of files to a directory the scandir() function runs on, it could cause the PHP interpreter to crash or, possibly, execute arbitrary code. (CVE-2012-2688) It was found that the PHP SOAP parser allowed the expansion of external XML entities during SOAP message parsing. A remote attacker could possibly use this flaw to read arbitrary files that are accessible to a PHP application using a SOAP extension. (CVE-2013-1643) Red Hat would like to thank the PHP project for reporting CVE-2013-6420. Upstream acknowledges Stefan Esser as the original reporter. All php users are advised to upgrade to these updated packages, which contain backported patches to correct these issues. After installing the updated packages, the httpd daemon must be restarted for the update to take effect.
    last seen 2019-02-21
    modified 2018-11-10
    plugin id 71356
    published 2013-12-12
    reporter Tenable
    source https://www.tenable.com/plugins/index.php?view=single&id=71356
    title CentOS 5 : php (CESA-2013:1814)
  • NASL family Fedora Local Security Checks
    NASL id FEDORA_2013-3927.NASL
    description Upstream NEWS, 14 Mar 2012, PHP 5.4.13 Core : - Fixed bug #64235 (Insteadof not work for class method in 5.4.11). (Laruence) - Implemented FR #64175 (Added HTTP codes as of RFC 6585). (Jonh Wendell) - Fixed bug #64142 (dval to lval different behavior on ppc64). (Remi) - Fixed bug #64070 (Inheritance with Traits failed with error). (Dmitry) CLI server : - Fixed bug #64128 (buit-in web server is broken on ppc64). (Remi) Mbstring : - mb_split() can now handle empty matches like preg_split() does. (Moriyoshi) OpenSSL : - Fixed bug #61930 (openssl corrupts ssl key resource when using openssl_get_publickey()). (Stas) PDO_mysql : - Fixed bug #60840 (undefined symbol: mysqlnd_debug_std_no_trace_funcs). (Johannes) Phar : - Fixed timestamp update on Phar contents modification. (Dmitry) SOAP : - Added check that soap.wsdl_cache_dir conforms to open_basedir (CVE-2013-1635). (Dmitry) - Disabled external entities loading (CVE-2013-1643). (Dmitry) SPL : - Fixed bug #64264 (SPLFixedArray toArray problem). (Laruence) - Fixed bug #64228 (RecursiveDirectoryIterator always assumes SKIP_DOTS). (patch by kriss at krizalys.com, Laruence) - Fixed bug #64106 (Segfault on SplFixedArray[][x] = y when extended). (Nikita Popov) - Fixed bug #52861 (unset fails with ArrayObject and deep arrays). (Mike Willbanks) SNMP : - Fixed bug #64124 (IPv6 malformed). (Boris Lytochkin) Note that Tenable Network Security has extracted the preceding description block directly from the Fedora security advisory. Tenable has attempted to automatically clean and format it as much as possible without introducing additional issues.
    last seen 2019-02-21
    modified 2018-12-05
    plugin id 65774
    published 2013-04-03
    reporter Tenable
    source https://www.tenable.com/plugins/index.php?view=single&id=65774
    title Fedora 17 : php-5.4.13-1.fc17 (2013-3927)
  • NASL family CentOS Local Security Checks
    NASL id CENTOS_RHSA-2013-1307.NASL
    description Updated php53 packages that fix multiple security issues, several bugs, and add one enhancement are now available for Red Hat Enterprise Linux 5. The Red Hat Security Response Team has rated this update as having moderate security impact. Common Vulnerability Scoring System (CVSS) base scores, which give detailed severity ratings, are available for each vulnerability from the CVE links in the References section. PHP is an HTML-embedded scripting language commonly used with the Apache HTTP Server. It was found that PHP did not properly handle file names with a NULL character. A remote attacker could possibly use this flaw to make a PHP script access unexpected files and bypass intended file system access restrictions. (CVE-2006-7243) It was found that PHP did not check for carriage returns in HTTP headers, allowing intended HTTP response splitting protections to be bypassed. Depending on the web browser the victim is using, a remote attacker could use this flaw to perform HTTP response splitting attacks. (CVE-2011-1398) A flaw was found in PHP's SSL client's hostname identity check when handling certificates that contain hostnames with NULL bytes. If an attacker was able to get a carefully crafted certificate signed by a trusted Certificate Authority, the attacker could use the certificate to conduct man-in-the-middle attacks to spoof SSL servers. (CVE-2013-4248) An integer signedness issue, leading to a heap-based buffer underflow, was found in the PHP scandir() function. If a remote attacker could upload an excessively large number of files to a directory the scandir() function runs on, it could cause the PHP interpreter to crash or, possibly, execute arbitrary code. (CVE-2012-2688) It was found that PHP did not correctly handle the magic_quotes_gpc configuration directive. This could result in magic_quotes_gpc input escaping not being applied in all cases, possibly making it easier for a remote attacker to perform SQL injection attacks. (CVE-2012-0831) It was found that the PHP SOAP parser allowed the expansion of external XML entities during SOAP message parsing. A remote attacker could possibly use this flaw to read arbitrary files that are accessible to a PHP application using a SOAP extension. (CVE-2013-1643) These updated php53 packages also include numerous bug fixes and enhancements. Space precludes documenting all of these changes in this advisory. Users are directed to the Red Hat Enterprise Linux 5.10 Technical Notes, linked to in the References, for information on the most significant of these changes. All PHP users are advised to upgrade to these updated packages, which contain backported patches to correct these issues and add this enhancement. After installing the updated packages, the httpd daemon must be restarted for the update to take effect.
    last seen 2019-02-21
    modified 2018-11-10
    plugin id 79149
    published 2014-11-12
    reporter Tenable
    source https://www.tenable.com/plugins/index.php?view=single&id=79149
    title CentOS 5 : php53 (CESA-2013:1307)
  • NASL family Oracle Linux Local Security Checks
    NASL id ORACLELINUX_ELSA-2013-1814.NASL
    description From Red Hat Security Advisory 2013:1814 : Updated php packages that fix multiple security issues are now available for Red Hat Enterprise Linux 5. The Red Hat Security Response Team has rated this update as having critical security impact. Common Vulnerability Scoring System (CVSS) base scores, which give detailed severity ratings, are available for each vulnerability from the CVE links in the References section. PHP is an HTML-embedded scripting language commonly used with the Apache HTTP Server. A memory corruption flaw was found in the way the openssl_x509_parse() function of the PHP openssl extension parsed X.509 certificates. A remote attacker could use this flaw to provide a malicious self-signed certificate or a certificate signed by a trusted authority to a PHP application using the aforementioned function, causing the application to crash or, possibly, allow the attacker to execute arbitrary code with the privileges of the user running the PHP interpreter. (CVE-2013-6420) It was found that PHP did not check for carriage returns in HTTP headers, allowing intended HTTP response splitting protections to be bypassed. Depending on the web browser the victim is using, a remote attacker could use this flaw to perform HTTP response splitting attacks. (CVE-2011-1398) An integer signedness issue, leading to a heap-based buffer underflow, was found in the PHP scandir() function. If a remote attacker could upload an excessively large number of files to a directory the scandir() function runs on, it could cause the PHP interpreter to crash or, possibly, execute arbitrary code. (CVE-2012-2688) It was found that the PHP SOAP parser allowed the expansion of external XML entities during SOAP message parsing. A remote attacker could possibly use this flaw to read arbitrary files that are accessible to a PHP application using a SOAP extension. (CVE-2013-1643) Red Hat would like to thank the PHP project for reporting CVE-2013-6420. Upstream acknowledges Stefan Esser as the original reporter. All php users are advised to upgrade to these updated packages, which contain backported patches to correct these issues. After installing the updated packages, the httpd daemon must be restarted for the update to take effect.
    last seen 2019-02-21
    modified 2018-07-18
    plugin id 71367
    published 2013-12-12
    reporter Tenable
    source https://www.tenable.com/plugins/index.php?view=single&id=71367
    title Oracle Linux 5 : php (ELSA-2013-1814)
  • NASL family Red Hat Local Security Checks
    NASL id REDHAT-RHSA-2013-1814.NASL
    description Updated php packages that fix multiple security issues are now available for Red Hat Enterprise Linux 5. The Red Hat Security Response Team has rated this update as having critical security impact. Common Vulnerability Scoring System (CVSS) base scores, which give detailed severity ratings, are available for each vulnerability from the CVE links in the References section. PHP is an HTML-embedded scripting language commonly used with the Apache HTTP Server. A memory corruption flaw was found in the way the openssl_x509_parse() function of the PHP openssl extension parsed X.509 certificates. A remote attacker could use this flaw to provide a malicious self-signed certificate or a certificate signed by a trusted authority to a PHP application using the aforementioned function, causing the application to crash or, possibly, allow the attacker to execute arbitrary code with the privileges of the user running the PHP interpreter. (CVE-2013-6420) It was found that PHP did not check for carriage returns in HTTP headers, allowing intended HTTP response splitting protections to be bypassed. Depending on the web browser the victim is using, a remote attacker could use this flaw to perform HTTP response splitting attacks. (CVE-2011-1398) An integer signedness issue, leading to a heap-based buffer underflow, was found in the PHP scandir() function. If a remote attacker could upload an excessively large number of files to a directory the scandir() function runs on, it could cause the PHP interpreter to crash or, possibly, execute arbitrary code. (CVE-2012-2688) It was found that the PHP SOAP parser allowed the expansion of external XML entities during SOAP message parsing. A remote attacker could possibly use this flaw to read arbitrary files that are accessible to a PHP application using a SOAP extension. (CVE-2013-1643) Red Hat would like to thank the PHP project for reporting CVE-2013-6420. Upstream acknowledges Stefan Esser as the original reporter. All php users are advised to upgrade to these updated packages, which contain backported patches to correct these issues. After installing the updated packages, the httpd daemon must be restarted for the update to take effect.
    last seen 2019-02-21
    modified 2018-11-10
    plugin id 71337
    published 2013-12-11
    reporter Tenable
    source https://www.tenable.com/plugins/index.php?view=single&id=71337
    title RHEL 5 : php (RHSA-2013:1814)
  • NASL family Red Hat Local Security Checks
    NASL id REDHAT-RHSA-2013-1615.NASL
    description Updated php packages that fix three security issues, several bugs, and add one enhancement are now available for Red Hat Enterprise Linux 6. The Red Hat Security Response Team has rated this update as having moderate security impact. Common Vulnerability Scoring System (CVSS) base scores, which give detailed severity ratings, are available for each vulnerability from the CVE links in the References section. PHP is an HTML-embedded scripting language commonly used with the Apache HTTP Server. It was found that PHP did not properly handle file names with a NULL character. A remote attacker could possibly use this flaw to make a PHP script access unexpected files and bypass intended file system access restrictions. (CVE-2006-7243) A flaw was found in PHP's SSL client's hostname identity check when handling certificates that contain hostnames with NULL bytes. If an attacker was able to get a carefully crafted certificate signed by a trusted Certificate Authority, the attacker could use the certificate to conduct man-in-the-middle attacks to spoof SSL servers. (CVE-2013-4248) It was found that the PHP SOAP parser allowed the expansion of external XML entities during SOAP message parsing. A remote attacker could possibly use this flaw to read arbitrary files that are accessible to a PHP application using a SOAP extension. (CVE-2013-1643) This update fixes the following bugs : * Previously, when the allow_call_time_pass_reference setting was disabled, a virtual host on the Apache server could terminate with a segmentation fault when attempting to process certain PHP content. This bug has been fixed and virtual hosts no longer crash when allow_call_time_pass_reference is off. (BZ#892158, BZ#910466) * Prior to this update, if an error occurred during the operation of the fclose(), file_put_contents(), or copy() function, the function did not report it. This could have led to data loss. With this update, the aforementioned functions have been modified to properly report any errors. (BZ#947429) * The internal buffer for the SQLSTATE error code can store maximum of 5 characters. Previously, when certain calls exceeded this limit, a buffer overflow occurred. With this update, messages longer than 5 characters are automatically replaced with the default 'HY000' string, thus preventing the overflow. (BZ#969110) In addition, this update adds the following enhancement : * This update adds the following rpm macros to the php package: %__php, %php_inidir, %php_incldir. (BZ#953814) Users of php are advised to upgrade to these updated packages, which fix these bugs and add this enhancement. After installing the updated packages, the httpd daemon must be restarted for the update to take effect.
    last seen 2019-02-21
    modified 2018-11-10
    plugin id 71010
    published 2013-11-21
    reporter Tenable
    source https://www.tenable.com/plugins/index.php?view=single&id=71010
    title RHEL 6 : php (RHSA-2013:1615)
  • NASL family Oracle Linux Local Security Checks
    NASL id ORACLELINUX_ELSA-2013-1615.NASL
    description From Red Hat Security Advisory 2013:1615 : Updated php packages that fix three security issues, several bugs, and add one enhancement are now available for Red Hat Enterprise Linux 6. The Red Hat Security Response Team has rated this update as having moderate security impact. Common Vulnerability Scoring System (CVSS) base scores, which give detailed severity ratings, are available for each vulnerability from the CVE links in the References section. PHP is an HTML-embedded scripting language commonly used with the Apache HTTP Server. It was found that PHP did not properly handle file names with a NULL character. A remote attacker could possibly use this flaw to make a PHP script access unexpected files and bypass intended file system access restrictions. (CVE-2006-7243) A flaw was found in PHP's SSL client's hostname identity check when handling certificates that contain hostnames with NULL bytes. If an attacker was able to get a carefully crafted certificate signed by a trusted Certificate Authority, the attacker could use the certificate to conduct man-in-the-middle attacks to spoof SSL servers. (CVE-2013-4248) It was found that the PHP SOAP parser allowed the expansion of external XML entities during SOAP message parsing. A remote attacker could possibly use this flaw to read arbitrary files that are accessible to a PHP application using a SOAP extension. (CVE-2013-1643) This update fixes the following bugs : * Previously, when the allow_call_time_pass_reference setting was disabled, a virtual host on the Apache server could terminate with a segmentation fault when attempting to process certain PHP content. This bug has been fixed and virtual hosts no longer crash when allow_call_time_pass_reference is off. (BZ#892158, BZ#910466) * Prior to this update, if an error occurred during the operation of the fclose(), file_put_contents(), or copy() function, the function did not report it. This could have led to data loss. With this update, the aforementioned functions have been modified to properly report any errors. (BZ#947429) * The internal buffer for the SQLSTATE error code can store maximum of 5 characters. Previously, when certain calls exceeded this limit, a buffer overflow occurred. With this update, messages longer than 5 characters are automatically replaced with the default 'HY000' string, thus preventing the overflow. (BZ#969110) In addition, this update adds the following enhancement : * This update adds the following rpm macros to the php package: %__php, %php_inidir, %php_incldir. (BZ#953814) Users of php are advised to upgrade to these updated packages, which fix these bugs and add this enhancement. After installing the updated packages, the httpd daemon must be restarted for the update to take effect.
    last seen 2019-02-21
    modified 2018-07-18
    plugin id 71107
    published 2013-11-27
    reporter Tenable
    source https://www.tenable.com/plugins/index.php?view=single&id=71107
    title Oracle Linux 6 : php (ELSA-2013-1615)
  • NASL family Scientific Linux Local Security Checks
    NASL id SL_20131211_PHP_ON_SL5_X.NASL
    description A memory corruption flaw was found in the way the openssl_x509_parse() function of the PHP openssl extension parsed X.509 certificates. A remote attacker could use this flaw to provide a malicious self-signed certificate or a certificate signed by a trusted authority to a PHP application using the aforementioned function, causing the application to crash or, possibly, allow the attacker to execute arbitrary code with the privileges of the user running the PHP interpreter. (CVE-2013-6420) It was found that PHP did not check for carriage returns in HTTP headers, allowing intended HTTP response splitting protections to be bypassed. Depending on the web browser the victim is using, a remote attacker could use this flaw to perform HTTP response splitting attacks. (CVE-2011-1398) An integer signedness issue, leading to a heap-based buffer underflow, was found in the PHP scandir() function. If a remote attacker could upload an excessively large number of files to a directory the scandir() function runs on, it could cause the PHP interpreter to crash or, possibly, execute arbitrary code. (CVE-2012-2688) It was found that the PHP SOAP parser allowed the expansion of external XML entities during SOAP message parsing. A remote attacker could possibly use this flaw to read arbitrary files that are accessible to a PHP application using a SOAP extension. (CVE-2013-1643) After installing the updated packages, the httpd daemon must be restarted for the update to take effect.
    last seen 2019-02-21
    modified 2018-12-31
    plugin id 71373
    published 2013-12-12
    reporter Tenable
    source https://www.tenable.com/plugins/index.php?view=single&id=71373
    title Scientific Linux Security Update : php on SL5.x i386/x86_64
  • NASL family Mandriva Local Security Checks
    NASL id MANDRIVA_MDVSA-2013-114.NASL
    description Multiple vulnerabilities has been discovered and corrected in php : ext/soap/soap.c in PHP before 5.3.22 and 5.4.x before 5.4.13 does not validate the relationship between the soap.wsdl_cache_dir directive and the open_basedir directive, which allows remote attackers to bypass intended access restrictions by triggering the creation of cached SOAP WSDL files in an arbitrary directory (CVE-2013-1635). The SOAP parser in PHP before 5.3.22 and 5.4.x before 5.4.13 allows remote attackers to read arbitrary files via a SOAP WSDL file containing an XML external entity declaration in conjunction with an entity reference, related to an XML External Entity (XXE) issue in the soap_xmlParseFile and soap_xmlParseMemory functions (CVE-2013-1643). Backported upstream php bug #61930: 'openssl corrupts ssl key resource when using openssl_get_publickey\(\)' to php-5.3.x. The new Powered by Mageia logo has been added to php, this is only a cosmetic change. The php-timezonedb package has been updated to the 2013.2 version. The updated packages have been upgraded to the 5.3.23 version which is not vulnerable to these issues. Additionally, some packages which requires so has been rebuilt for php-5.3.23.
    last seen 2019-02-21
    modified 2019-01-02
    plugin id 66126
    published 2013-04-20
    reporter Tenable
    source https://www.tenable.com/plugins/index.php?view=single&id=66126
    title Mandriva Linux Security Advisory : php (MDVSA-2013:114)
redhat via4
advisories
  • rhsa
    id RHSA-2013:1307
  • rhsa
    id RHSA-2013:1615
rpms
  • php53-0:5.3.3-21.el5
  • php53-bcmath-0:5.3.3-21.el5
  • php53-cli-0:5.3.3-21.el5
  • php53-common-0:5.3.3-21.el5
  • php53-dba-0:5.3.3-21.el5
  • php53-devel-0:5.3.3-21.el5
  • php53-gd-0:5.3.3-21.el5
  • php53-imap-0:5.3.3-21.el5
  • php53-intl-0:5.3.3-21.el5
  • php53-ldap-0:5.3.3-21.el5
  • php53-mbstring-0:5.3.3-21.el5
  • php53-mysql-0:5.3.3-21.el5
  • php53-odbc-0:5.3.3-21.el5
  • php53-pdo-0:5.3.3-21.el5
  • php53-pgsql-0:5.3.3-21.el5
  • php53-process-0:5.3.3-21.el5
  • php53-pspell-0:5.3.3-21.el5
  • php53-snmp-0:5.3.3-21.el5
  • php53-soap-0:5.3.3-21.el5
  • php53-xml-0:5.3.3-21.el5
  • php53-xmlrpc-0:5.3.3-21.el5
  • php-0:5.3.3-26.el6
  • php-bcmath-0:5.3.3-26.el6
  • php-cli-0:5.3.3-26.el6
  • php-common-0:5.3.3-26.el6
  • php-dba-0:5.3.3-26.el6
  • php-devel-0:5.3.3-26.el6
  • php-embedded-0:5.3.3-26.el6
  • php-enchant-0:5.3.3-26.el6
  • php-fpm-0:5.3.3-26.el6
  • php-gd-0:5.3.3-26.el6
  • php-imap-0:5.3.3-26.el6
  • php-intl-0:5.3.3-26.el6
  • php-ldap-0:5.3.3-26.el6
  • php-mbstring-0:5.3.3-26.el6
  • php-mysql-0:5.3.3-26.el6
  • php-odbc-0:5.3.3-26.el6
  • php-pdo-0:5.3.3-26.el6
  • php-pgsql-0:5.3.3-26.el6
  • php-process-0:5.3.3-26.el6
  • php-pspell-0:5.3.3-26.el6
  • php-recode-0:5.3.3-26.el6
  • php-snmp-0:5.3.3-26.el6
  • php-soap-0:5.3.3-26.el6
  • php-tidy-0:5.3.3-26.el6
  • php-xml-0:5.3.3-26.el6
  • php-xmlrpc-0:5.3.3-26.el6
  • php-zts-0:5.3.3-26.el6
  • php-0:5.1.6-43.el5_10
  • php-bcmath-0:5.1.6-43.el5_10
  • php-cli-0:5.1.6-43.el5_10
  • php-common-0:5.1.6-43.el5_10
  • php-dba-0:5.1.6-43.el5_10
  • php-devel-0:5.1.6-43.el5_10
  • php-gd-0:5.1.6-43.el5_10
  • php-imap-0:5.1.6-43.el5_10
  • php-ldap-0:5.1.6-43.el5_10
  • php-mbstring-0:5.1.6-43.el5_10
  • php-mysql-0:5.1.6-43.el5_10
  • php-ncurses-0:5.1.6-43.el5_10
  • php-odbc-0:5.1.6-43.el5_10
  • php-pdo-0:5.1.6-43.el5_10
  • php-pgsql-0:5.1.6-43.el5_10
  • php-snmp-0:5.1.6-43.el5_10
  • php-soap-0:5.1.6-43.el5_10
  • php-xml-0:5.1.6-43.el5_10
  • php-xmlrpc-0:5.1.6-43.el5_10
refmap via4
apple APPLE-SA-2013-09-12-1
confirm
debian DSA-2639
mandriva MDVSA-2013:114
secunia 55078
suse
  • SUSE-SU-2013:1285
  • SUSE-SU-2013:1315
ubuntu USN-1761-1
Last major update 27-01-2014 - 23:51
Published 06-03-2013 - 08:10
Back to Top