The default soap.wsdl_cache_dir setting in (1) php.ini-production and (2) php.ini-development in PHP through 5.6.7 specifies the /tmp directory, which makes it easier for local users to conduct WSDL injection attacks by creating a file under /tmp with a predictable filename that is used by the get_sdl function in ext/soap/php_sdl.c.

The remote Redhat Enterprise Linux 6 host has one or more packages installed that are affected by multiple vulnerabilities that have been acknowledged by the vendor but will not be patched.

  - php: buffer overflow in handling of long link names in tar phar archives (CVE-2016-2554)

  - php: Uninitialized read in exif_process_IFD_in_TIFF (CVE-2019-9641)

  - The ip2long function in PHP 5.1.4 and earlier may incorrectly validate an arbitrary string and return a     valid network IP address, which allows remote attackers to obtain network information and facilitate other     attacks, as demonstrated using SQL injection in the X-FORWARDED-FOR Header in index.php in MiniBB 2.0.
    NOTE: it could be argued that the ip2long behavior represents a risk for security-relevant issues in a way     that is similar to strcpy's role in buffer overflows, in which case this would be a class of     implementation bugs that would require separate CVE items for each PHP application that uses ip2long in a     security-relevant manner. (CVE-2006-4023)

Note that Nessus has not tested for these issues but has instead relied on the package manager's report that the package is installed.

The remote Redhat Enterprise Linux 7 host has one or more packages installed that are affected by multiple vulnerabilities that have been acknowledged by the vendor but will not be patched.

  - php: buffer overflow in handling of long link names in tar phar archives (CVE-2016-2554)

  - php: Heap-based buffer over-read in mbstring regular expression functions (CVE-2019-9023)

  - Session fixation vulnerability in the Sessions subsystem in PHP before 5.5.2 allows remote attackers to     hijack web sessions by specifying a session ID. (CVE-2011-4718)

Note that Nessus has not tested for these issues but has instead relied on the package manager's report that the package is installed.

The remote Redhat Enterprise Linux 5 host has one or more packages installed that are affected by multiple vulnerabilities that have been acknowledged by the vendor but will not be patched.

  - php: buffer overflow in handling of long link names in tar phar archives (CVE-2016-2554)

  - php: Uninitialized read in exif_process_IFD_in_TIFF (CVE-2019-9641)

  - The ip2long function in PHP 5.1.4 and earlier may incorrectly validate an arbitrary string and return a     valid network IP address, which allows remote attackers to obtain network information and facilitate other     attacks, as demonstrated using SQL injection in the X-FORWARDED-FOR Header in index.php in MiniBB 2.0.
    NOTE: it could be argued that the ip2long behavior represents a risk for security-relevant issues in a way     that is similar to strcpy's role in buffer overflows, in which case this would be a class of     implementation bugs that would require separate CVE items for each PHP application that uses ip2long in a     security-relevant manner. (CVE-2006-4023)

Note that Nessus has not tested for these issues but has instead relied on the package manager's report that the package is installed.

The remote host is affected by the vulnerability described in GLSA-201606-10 (PHP: Multiple vulnerabilities)

    Multiple vulnerabilities have been discovered in PHP. Please review the       CVE identifiers referenced below for details.
  Impact :

    An attacker can possibly execute arbitrary code or create a Denial of       Service condition.
  Workaround :

    There is no known workaround at this time.

Versions of PHP 5.4.x earlier than 5.4.40, 5.5.x earlier than 5.5.24, or 5.6.x earlier than 5.6.8 contain a flaw in the cache directory that is due to the program creating files for the cache in a predictable manner. This may allow a remote attacker to inject WSDL files and have them be used in place of the intended file. Specifically, the default 'soap.wsdl_cache_dir' setting in 'php.ini-production' and 'php.ini-development' specifies the /tmp directory, which makes it easier for local users to conduct WSDL injection attacks by creating a file under /tmp with a predictable filename that is used by the 'get_sdl' function in 'ext/soap/php_sdl.c'.

php5 has been updated to fix two security issues :

  - Out of bounds read in mconvert(). (bnc#917150).
    (CVE-2014-9652)

  - Use after free vulnerability in unserialize() with     DateTimeZone. (bnc#918768). (CVE-2015-0273)

ID	Name	Product	Family	Severity
198558	RHEL 6 : php (Unpatched Vulnerability)	Nessus	Red Hat Local Security Checks	critical
198511	RHEL 7 : php (Unpatched Vulnerability)	Nessus	Red Hat Local Security Checks	critical
198485	RHEL 5 : php (Unpatched Vulnerability)	Nessus	Red Hat Local Security Checks	critical
91704	GLSA-201606-10 : PHP: Multiple vulnerabilities	Nessus	Gentoo Local Security Checks	critical
8789	PHP 5.4.x < 5.4.40 / 5.5.x < 5.5.24 / 5.6.x < 5.6.8 'php_sdl.c' WSDL Injection	Nessus Network Monitor	Web Servers	medium
81665	SuSE 11.3 Security Update : PHP 5.3 (SAT Patch Number 10370)	Nessus	SuSE Local Security Checks	high

Detections

Analytics

CVE-2013-6501

high

Tenable Plugins

critical

critical

critical

critical

medium

high