| VID |
22586 |
| Severity |
30 |
| Port |
80, ... |
| Protocol |
TCP |
| Class |
CGI |
| Detailed Description |
According to its banner, the version of PHP 5.4.x installed on the remote host is prior to 5.4.13. It is, therefore, potentially affected by an information disclosure vulnerability.
The fix for CVE-2013-1643 was incomplete and an error still exists in the files 'ext/soap/php_xml.c' and 'ext/libxml/libxml.c' related to handling external entities. This error could cause PHP to parse remote XML documents defined by an attacker and could allow access to arbitrary files.
Note: This check solely relied on the banner of the remote HTTP server to assess this vulnerability, so this might be a false positive.
* References:
https://github.com/php/php-src/commit/8e76d0404b7f664ee6719fd98f0483f0ac4669d6
http://www.php.net/ChangeLog-5.php#5.4.13
* Platforms Affected:
PHP Prior to 5.4.13
Any operating system Any version |
| Recommendation |
Upgrade to the latest version of PHP (5.4.13 or later), available from the PHP Web site at http://www.php.net/ |
| Related URL |
CVE-2013-1824 (CVE) |
| Related URL |
(SecurityFocus) |
| Related URL |
(ISS) |
|
