This script is Copyright (C) 2012-2015 Tenable Network Security, Inc.
The remote FreeBSD host is missing one or more security-related
The Zend Framework team reports :
The XmlRpc package of Zend Framework is vulnerable to XML eXternal
Entity Injection attacks (both server and client). The
SimpleXMLElement class (SimpleXML PHP extension) is used in an
insecure way to parse XML data. External entities can be specified by
adding a specific DOCTYPE element to XML-RPC requests. By exploiting
this vulnerability an application may be coerced to open arbitrary
files and/or TCP connections.
Additionally, the Zend_Dom, Zend_Feed, Zend_Soap, and Zend_XmlRpc
components are vulnerable to XML Entity Expansion (XEE) vectors,
leading to Denial of Service vectors. XEE attacks occur when the XML
DOCTYPE declaration includes XML entity definitions that contain
either recursive or circular references; this leads to CPU and memory
consumption, making Denial of Service exploits trivial to implement.
See also :
Update the affected packages.
Risk factor :
Medium / CVSS Base Score : 6.4
Public Exploit Available : true