Detections
Analytics

MiracleLinux 4 : php-5.3.3-27.AXS4 (AXSA:2014-029:01)

critical Nessus Plugin ID 290123

Synopsis

The remote MiracleLinux host is missing one or more security updates.

Description

The remote MiracleLinux 4 host has packages installed that are affected by multiple vulnerabilities as referenced in the AXSA:2014-029:01 advisory.

 PHP is an HTML-embedded scripting language. PHP attempts to make it easy for developers to write dynamically generated webpages. PHP also offers built-in database integration for several commercial and non-commercial database management systems, so writing a database-enabled webpage with PHP is fairly simple. The most common use of PHP coding is probably as a replacement for CGI scripts.
 The php package contains the module which adds support for the PHP language to Apache HTTP Server.
 Security issues fixed with this release:
 CVE-2006-7243 PHP before 5.3.4 accepts the character in a pathname, which might allow context-dependent attackers to bypass intended access restrictions by placing a safe file extension after this character, as demonstrated by .php.jpg at the end of the argument to the file_exists function.
 CVE-2013-1643 The SOAP parser in PHP before 5.3.23 and 5.4.x before 5.4.13 allows remote attackers to read arbitrary files via a SOAP WSDL file containing an XML external entity declaration in conjunction with an entity reference, related to an XML External Entity (XXE) issue in the soap_xmlParseFile and soap_xmlParseMemory functions. NOTE: this vulnerability exists because of an incorrect fix for CVE-2013-1824.
 CVE-2013-4248 The openssl_x509_parse function in openssl.c in the OpenSSL module in PHP before 5.4.18 and 5.5.x before 5.5.2 does not properly handle a '' character in a domain name in the Subject Alternative Name field of an X.509 certificate, which allows man-in-the-middle attackers to spoof arbitrary SSL servers via a crafted certificate issued by a legitimate Certification Authority, a related issue to CVE-2009-2408.
 Fixed bugs:
 Previously, a virtual host on the Apache server could crash if the allow_call_time_pass_reference setting was disabled. This has been fixed.
 Previously, the fclose(), file_put_contents(), or copy() functions did not report their error, leading to potential dataloss. This has been fixed and they now report any error Previously, a buffer overflow occurred when some calls exceeded the 5 characters limit of the internal buffer for the SQLSTATE error code. This has been fixed and messages longer than 5 characters are replaced with the default HY000 string.
 Enhancement:
 Added the following rpm macros to the php package: %__php, %php_inidir, %php_incldir.

Tenable has extracted the preceding description block directly from the MiracleLinux security advisory.

Note that Nessus has not tested for these issues but has instead relied only on the application's self-reported version number.

Solution

Update the affected packages.

See Also

https://tsn.miraclelinux.com/en/node/4495

Plugin Details

Severity: Critical

ID: 290123

File Name: miracle_linux_AXSA-2014-029.nasl

Version: 1.1

Type: local

Published: 1/16/2026

Updated: 1/16/2026

Supported Sensors: Nessus Agent, Nessus

Risk Information

VPR

Risk Factor: Medium

Score: 6.7

Vendor

Vendor Severity: High

CVSS v2

Risk Factor: Medium

Base Score: 5

Temporal Score: 3.9

Vector: CVSS2#AV:N/AC:L/Au:N/C:P/I:N/A:N

CVSS Score Source: CVE-2013-1643

CVSS v3

Risk Factor: Critical

Base Score: 9.8

Temporal Score: 8.8

Vector: CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

Temporal Vector: CVSS:3.0/E:P/RL:O/RC:C

CVSS Score Source: CVE-2006-7243

Vulnerability Information

CPE: p-cpe:/a:miracle:linux:php-pgsql, p-cpe:/a:miracle:linux:php-pdo, p-cpe:/a:miracle:linux:php-mysql, p-cpe:/a:miracle:linux:php-xml, p-cpe:/a:miracle:linux:php, p-cpe:/a:miracle:linux:php-mbstring, p-cpe:/a:miracle:linux:php-gd, p-cpe:/a:miracle:linux:php-common, p-cpe:/a:miracle:linux:php-soap, p-cpe:/a:miracle:linux:php-bcmath, p-cpe:/a:miracle:linux:php-xmlrpc, cpe:/o:miracle:linux:4, p-cpe:/a:miracle:linux:php-ldap, p-cpe:/a:miracle:linux:php-cli, p-cpe:/a:miracle:linux:php-odbc

Required KB Items: Host/local_checks_enabled, Host/MiracleLinux/release, Host/MiracleLinux/rpm-list, Host/cpu

Exploit Available: true

Exploit Ease: Exploits are available

Patch Publication Date: 3/18/2014

Vulnerability Publication Date: 12/18/2006

Reference Information

CVE: CVE-2006-7243, CVE-2013-1643, CVE-2013-4248