Detections
Analytics

PHP 5.4.x < 5.4.40 / 5.5.x < 5.5.24 / 5.6.x < 5.6.8 'php_sdl.c' WSDL Injection

medium Nessus Network Monitor Plugin ID 8789

Synopsis

The remote web server uses a version of PHP that is affected by a SOAP WSDL injection vulnerability.

Description

Versions of PHP 5.4.x earlier than 5.4.40, 5.5.x earlier than 5.5.24, or 5.6.x earlier than 5.6.8 contain a flaw in the cache directory that is due to the program creating files for the cache in a predictable manner. This may allow a remote attacker to inject WSDL files and have them be used in place of the intended file. Specifically, the default 'soap.wsdl_cache_dir' setting in 'php.ini-production' and 'php.ini-development' specifies the /tmp directory, which makes it easier for local users to conduct WSDL injection attacks by creating a file under /tmp with a predictable filename that is used by the 'get_sdl' function in 'ext/soap/php_sdl.c'.

Solution

Use a directory other than /tmp for the WSDL cache directory.

See Also

http://www.nessus.org/u?14fab4e5

http://www.nessus.org/u?45b3da23

http://www.php.net/ChangeLog-5.php#5.6.8

Plugin Details

Severity: Medium

ID: 8789

Family: Web Servers

Published: 6/18/2015

Updated: 3/6/2019

Risk Information

VPR

Risk Factor: Medium

Score: 5.9

CVSS v2

Risk Factor: Medium

Base Score: 4.6

Temporal Score: 4.2

Vector: CVSS2#AV:L/AC:L/Au:N/C:P/I:P/A:P

CVSS v3

Risk Factor: Medium

Base Score: 5.9

Temporal Score: 5.5

Vector: CVSS:3.0/AV:L/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:L

Temporal Vector: CVSS:3.0/E:X/RL:W/RC:R

Vulnerability Information

CPE: cpe:/a:php:php

Patch Publication Date: 2/8/2015

Vulnerability Publication Date: 2/8/2015

Reference Information

CVE: CVE-2013-6501

BID: 72530