PHP 5.3.x < 5.3.22 Multiple Vulnerabilities

medium Log Correlation Engine Plugin ID 801086

Synopsis

The remote web server uses a version of PHP that is affected by a multiple vulnerabilities

Description

PHP versions 5.3.x earlier than 5.3.22 are affected by the following vulnerabilities :

- An error exists in the file 'ext/soap/soap.c' related to the 'soap.wsdl_cache_dir' configuration directive and writing cache files that could allow remote 'wsdl' files to be written to arbitrary locations. (CVE-2013-1635)

- An error exists in the file 'ext/soap/php_xml.c' related to parsing SOAP 'wsdl' files and external entities that could cause PHP to parse remote XML documents defined by an attacker. This could allow access to arbitrary files. (CVE-2013-1643)

Solution

Upgrade to PHP version 5.3.22 or later.

See Also

http://www.nessus.org/u?2dcf53bd

http://www.nessus.org/u?889595b1

http://www.php.net/ChangeLog-5.php#5.3.22

Plugin Details

Severity: Medium

ID: 801086

Family: Web Servers

Published: 3/4/2013

Nessus ID: 64992

Risk Information

CVSS v2

Risk Factor: Medium

Base Score: 4.3

Temporal Score: 3.6

Vector: CVSS2#AV:N/AC:M/Au:N/C:N/I:P/A:N

Vulnerability Information

Patch Publication Date: 2/21/2013

Vulnerability Publication Date: 2/21/2013

Reference Information

CVE: CVE-2013-1635, CVE-2013-1643

BID: 58224, 58766