icons icons icons icons icons icons icons icons icons icons icons icons icons icons icons icons icons icons icons icons icons icons icons icons icons icons icons icons icons icons icons icons icons icons icons icons icons icons icons icons icons icons icons icons icons icons icons icons icons icons icons icons icons icons icons icons_061

PHP 5.4.x < 5.4.40 / 5.5.x < 5.5.24 / 5.6.x < 5.6.8 'php_sdl.c' WSDL Injection

Medium

Synopsis

The remote web server uses a version of PHP that is affected by a SOAP WSDL injection vulnerability.

Description

Versions of PHP 5.4.x earlier than 5.4.40, 5.5.x earlier than 5.5.24, or 5.6.x earlier than 5.6.8 contain a flaw in the cache directory that is due to the program creating files for the cache in a predictable manner. This may allow a remote attacker to inject WSDL files and have them be used in place of the intended file. Specifically, the default 'soap.wsdl_cache_dir' setting in 'php.ini-production' and 'php.ini-development' specifies the /tmp directory, which makes it easier for local users to conduct WSDL injection attacks by creating a file under /tmp with a predictable filename that is used by the 'get_sdl' function in 'ext/soap/php_sdl.c'.

Solution

Use a directory other than /tmp for the WSDL cache directory.