CVE-2013-1643: Infoleak
First published: Tue Mar 05 2013(Updated: )
A security flaw was found in the way SOAP parser of PHP processed certain SOAP objects (due to allowed expansion of XML external entities during SOAP WSDL files parsing, it was previously possible to read arbitrary system files, accessible with the privileges of the PHP application). If a PHP application accepted untrusted SOAP object input remotely from clients, an attacker could use this flaw for unauthorized of read system files (accesible with the privileges of the PHP application). References: [1] <a href="http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=702221">http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=702221</a> [2] <a href="https://bugs.gentoo.org/show_bug.cgi?id=459904">https://bugs.gentoo.org/show_bug.cgi?id=459904</a> [3] <a href="http://www.mandriva.com/en/support/security/advisories/advisory/MDVSA-2013:016/">http://www.mandriva.com/en/support/security/advisories/advisory/MDVSA-2013:016/</a> Relevant upstream patch: [4] <a href="http://git.php.net/?p=php-src.git;a=commitdiff;h=c737b89473df9dba6742b8fc8fbf6d009bf05c36">http://git.php.net/?p=php-src.git;a=commitdiff;h=c737b89473df9dba6742b8fc8fbf6d009bf05c36</a>
Credit: cve@mitre.org
| Affected Software | Affected Version | How to fix |
|---|---|---|
| redhat/php | <5.3.23 | 5.3.23 |
| redhat/php | <5.4.13 | 5.4.13 |
| PHP PHP | <=5.3.21 | |
| PHP PHP | =1.0 | |
| PHP PHP | =2.0 | |
| PHP PHP | =2.0b10 | |
| PHP PHP | =3.0 | |
| PHP PHP | =3.0.1 | |
| PHP PHP | =3.0.2 | |
| PHP PHP | =3.0.3 | |
| PHP PHP | =3.0.4 | |
| PHP PHP | =3.0.5 | |
| PHP PHP | =3.0.6 | |
| PHP PHP | =3.0.7 | |
| PHP PHP | =3.0.8 | |
| PHP PHP | =3.0.9 | |
| PHP PHP | =3.0.10 | |
| PHP PHP | =3.0.11 | |
| PHP PHP | =3.0.12 | |
| PHP PHP | =3.0.13 | |
| PHP PHP | =3.0.14 | |
| PHP PHP | =3.0.15 | |
| PHP PHP | =3.0.16 | |
| PHP PHP | =3.0.17 | |
| PHP PHP | =3.0.18 | |
| PHP PHP | =4.0-beta_4_patch1 | |
| PHP PHP | =4.0-beta1 | |
| PHP PHP | =4.0-beta2 | |
| PHP PHP | =4.0-beta3 | |
| PHP PHP | =4.0-beta4 | |
| PHP PHP | =4.0.0 | |
| PHP PHP | =4.0.1 | |
| PHP PHP | =4.0.2 | |
| PHP PHP | =4.0.3 | |
| PHP PHP | =4.0.4 | |
| PHP PHP | =4.0.5 | |
| PHP PHP | =4.0.6 | |
| PHP PHP | =4.0.7 | |
| PHP PHP | =4.1.0 | |
| PHP PHP | =4.1.1 | |
| PHP PHP | =4.1.2 | |
| PHP PHP | =4.2.0 | |
| PHP PHP | =4.2.1 | |
| PHP PHP | =4.2.2 | |
| PHP PHP | =4.2.3 | |
| PHP PHP | =4.3.0 | |
| PHP PHP | =4.3.1 | |
| PHP PHP | =4.3.2 | |
| PHP PHP | =4.3.3 | |
| PHP PHP | =4.3.4 | |
| PHP PHP | =4.3.5 | |
| PHP PHP | =4.3.6 | |
| PHP PHP | =4.3.7 | |
| PHP PHP | =4.3.8 | |
| PHP PHP | =4.3.9 | |
| PHP PHP | =4.3.10 | |
| PHP PHP | =4.3.11 | |
| PHP PHP | =4.4.0 | |
| PHP PHP | =4.4.1 | |
| PHP PHP | =4.4.2 | |
| PHP PHP | =4.4.3 | |
| PHP PHP | =4.4.4 | |
| PHP PHP | =4.4.5 | |
| PHP PHP | =4.4.6 | |
| PHP PHP | =4.4.7 | |
| PHP PHP | =4.4.8 | |
| PHP PHP | =4.4.9 | |
| PHP PHP | =5.0.0 | |
| PHP PHP | =5.0.0-beta1 | |
| PHP PHP | =5.0.0-beta2 | |
| PHP PHP | =5.0.0-beta3 | |
| PHP PHP | =5.0.0-beta4 | |
| PHP PHP | =5.0.0-rc1 | |
| PHP PHP | =5.0.0-rc2 | |
| PHP PHP | =5.0.0-rc3 | |
| PHP PHP | =5.0.1 | |
| PHP PHP | =5.0.2 | |
| PHP PHP | =5.0.3 | |
| PHP PHP | =5.0.4 | |
| PHP PHP | =5.0.5 | |
| PHP PHP | =5.1.0 | |
| PHP PHP | =5.1.1 | |
| PHP PHP | =5.1.2 | |
| PHP PHP | =5.1.3 | |
| PHP PHP | =5.1.4 | |
| PHP PHP | =5.1.5 | |
| PHP PHP | =5.1.6 | |
| PHP PHP | =5.2.0 | |
| PHP PHP | =5.2.1 | |
| PHP PHP | =5.2.2 | |
| PHP PHP | =5.2.3 | |
| PHP PHP | =5.2.4 | |
| PHP PHP | =5.2.5 | |
| PHP PHP | =5.2.6 | |
| PHP PHP | =5.2.7 | |
| PHP PHP | =5.2.8 | |
| PHP PHP | =5.2.9 | |
| PHP PHP | =5.2.10 | |
| PHP PHP | =5.2.11 | |
| PHP PHP | =5.2.12 | |
| PHP PHP | =5.2.13 | |
| PHP PHP | =5.2.14 | |
| PHP PHP | =5.2.15 | |
| PHP PHP | =5.2.16 | |
| PHP PHP | =5.2.17 | |
| PHP PHP | =5.3.0 | |
| PHP PHP | =5.3.1 | |
| PHP PHP | =5.3.2 | |
| PHP PHP | =5.3.3 | |
| PHP PHP | =5.3.4 | |
| PHP PHP | =5.3.5 | |
| PHP PHP | =5.3.6 | |
| PHP PHP | =5.3.7 | |
| PHP PHP | =5.3.8 | |
| PHP PHP | =5.3.9 | |
| PHP PHP | =5.3.10 | |
| PHP PHP | =5.3.11 | |
| PHP PHP | =5.3.12 | |
| PHP PHP | =5.3.13 | |
| PHP PHP | =5.3.14 | |
| PHP PHP | =5.3.15 | |
| PHP PHP | =5.3.16 | |
| PHP PHP | =5.3.17 | |
| PHP PHP | =5.3.18 | |
| PHP PHP | =5.3.19 | |
| PHP PHP | =5.3.20 | |
| PHP PHP | =5.4.0 | |
| PHP PHP | =5.4.1 | |
| PHP PHP | =5.4.2 | |
| PHP PHP | =5.4.3 | |
| PHP PHP | =5.4.4 | |
| PHP PHP | =5.4.5 | |
| PHP PHP | =5.4.6 | |
| PHP PHP | =5.4.7 | |
| PHP PHP | =5.4.8 | |
| PHP PHP | =5.4.9 | |
| PHP PHP | =5.4.10 | |
| PHP PHP | =5.4.11 | |
| PHP PHP | =5.4.12 |
Never miss a vulnerability like this again
Sign up to SecAlerts for real-time vulnerability data matched to your software, aggregated from hundreds of sources.
Reference Links
- http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=702221
- https://bugs.gentoo.org/show_bug.cgi?id=459904
- http://www.mandriva.com/en/support/security/advisories/advisory/MDVSA-2013:016/
- http://git.php.net/?p=php-src.git;a=commitdiff;h=c737b89473df9dba6742b8fc8fbf6d009bf05c36
- http://git.php.net/?p=php-src.git;a=blob;f=NEWS;h=36f6f9a4396d3034cc903a4271e7fdeccc5d3ea6;hb=refs/heads/PHP-5.4
- http://git.php.net/?p=php-src.git;a=blob;f=NEWS;h=82afa3a040e639f3595121e45b850d5453906a00;hb=refs/heads/PHP-5.3
- https://access.redhat.com/security/cve/CVE-2013-1824
- http://git.php.net/?p=php-src.git;a=commitdiff;h=afe98b7829d50806559acac9b530acb8283c3bf4
- http://git.php.net/?p=php-src.git;a=commitdiff;h=188c196d4da60bdde9190d2fc532650d17f7af2d
- http://git.php.net/?p=php-src.git;a=commitdiff;h=8e76d0404b7f664ee6719fd98f0483f0ac4669d6
- http://git.php.net/?p=php-src.git;a=commitdiff;h=fcd4b5335a6df4e0676ee32e2267ca71d70fe623
- https://rhn.redhat.com/errata/RHSA-2013-1307.html
- https://rhn.redhat.com/errata/RHSA-2013-1615.html
- https://rhn.redhat.com/errata/RHSA-2013-1814.html
- https://bugzilla.redhat.com/show_bug.cgi?id=918187
- http://git.php.net/?p=php-src.git;a=commit;h=8e76d0404b7f664ee6719fd98f0483f0ac4669d6
- http://lists.apple.com/archives/security-announce/2013/Sep/msg00002.html
- http://lists.opensuse.org/opensuse-security-announce/2013-07/msg00034.html
- http://lists.opensuse.org/opensuse-security-announce/2013-08/msg00006.html
- http://rhn.redhat.com/errata/RHSA-2013-1307.html
- http://rhn.redhat.com/errata/RHSA-2013-1615.html
- http://secunia.com/advisories/55078
- http://support.apple.com/kb/HT5880
- http://www.debian.org/security/2013/dsa-2639
- http://www.mandriva.com/security/advisories?name=MDVSA-2013:114
- http://www.php.net/ChangeLog-5.php
- http://www.ubuntu.com/usn/USN-1761-1
- https://wiki.mageia.org/en/Support/Advisories/MGASA-2013-0101
- http://git.php.net/?p=php-src.git%3Ba=commit%3Bh=8e76d0404b7f664ee6719fd98f0483f0ac4669d6
- collector/nvd-index
- agent/type
- agent/softwarecombine
- agent/first-publish-date
- collector/mitre-cve
- source/MITRE
- agent/last-modified-date
- agent/severity
- agent/author
- agent/weakness
- agent/references
- agent/tags
- agent/event
- agent/description
- collector/redhat-bugzilla
- source/Red Hat
- alias/CVE-2013-1643
- agent/software-canonical-lookup
- vendor/php
- canonical/php php
- version/php php/5.3.21
- version/php php/1.0
- version/php php/2.0
- version/php php/2.0b10
- version/php php/3.0
- version/php php/3.0.1
- version/php php/3.0.2
- version/php php/3.0.3
- version/php php/3.0.4
- version/php php/3.0.5
- version/php php/3.0.6
- version/php php/3.0.7
- version/php php/3.0.8
- version/php php/3.0.9
- version/php php/3.0.10
- version/php php/3.0.11
- version/php php/3.0.12
- version/php php/3.0.13
- version/php php/3.0.14
- version/php php/3.0.15
- version/php php/3.0.16
- version/php php/3.0.17
- version/php php/3.0.18
- version/php php/4.0-beta_4_patch1
- version/php php/4.0-beta1
- version/php php/4.0-beta2
- version/php php/4.0-beta3
- version/php php/4.0-beta4
- version/php php/4.0.0
- version/php php/4.0.1
- version/php php/4.0.2
- version/php php/4.0.3
- version/php php/4.0.4
- version/php php/4.0.5
- version/php php/4.0.6
- version/php php/4.0.7
- version/php php/4.1.0
- version/php php/4.1.1
- version/php php/4.1.2
- version/php php/4.2.0
- version/php php/4.2.1
- version/php php/4.2.2
- version/php php/4.2.3
- version/php php/4.3.0
- version/php php/4.3.1
- version/php php/4.3.2
- version/php php/4.3.3
- version/php php/4.3.4
- version/php php/4.3.5
- version/php php/4.3.6
- version/php php/4.3.7
- version/php php/4.3.8
- version/php php/4.3.9
- version/php php/4.3.10
- version/php php/4.3.11
- version/php php/4.4.0
- version/php php/4.4.1
- version/php php/4.4.2
- version/php php/4.4.3
- version/php php/4.4.4
- version/php php/4.4.5
- version/php php/4.4.6
- version/php php/4.4.7
- version/php php/4.4.8
- version/php php/4.4.9
- version/php php/5.0.0
- version/php php/5.0.0-beta1
- version/php php/5.0.0-beta2
- version/php php/5.0.0-beta3
- version/php php/5.0.0-beta4
- version/php php/5.0.0-rc1
- version/php php/5.0.0-rc2
- version/php php/5.0.0-rc3
- version/php php/5.0.1
- version/php php/5.0.2
- version/php php/5.0.3
- version/php php/5.0.4
- version/php php/5.0.5
- version/php php/5.1.0
- version/php php/5.1.1
- version/php php/5.1.2
- version/php php/5.1.3
- version/php php/5.1.4
- version/php php/5.1.5
- version/php php/5.1.6
- version/php php/5.2.0
- version/php php/5.2.1
- version/php php/5.2.2
- version/php php/5.2.3
- version/php php/5.2.4
- version/php php/5.2.5
- version/php php/5.2.6
- version/php php/5.2.7
- version/php php/5.2.8
- version/php php/5.2.9
- version/php php/5.2.10
- version/php php/5.2.11
- version/php php/5.2.12
- version/php php/5.2.13
- version/php php/5.2.14
- version/php php/5.2.15
- version/php php/5.2.16
- version/php php/5.2.17
- version/php php/5.3.0
- version/php php/5.3.1
- version/php php/5.3.2
- version/php php/5.3.3
- version/php php/5.3.4
- version/php php/5.3.5
- version/php php/5.3.6
- version/php php/5.3.7
- version/php php/5.3.8
- version/php php/5.3.9
- version/php php/5.3.10
- version/php php/5.3.11
- version/php php/5.3.12
- version/php php/5.3.13
- version/php php/5.3.14
- version/php php/5.3.15
- version/php php/5.3.16
- version/php php/5.3.17
- version/php php/5.3.18
- version/php php/5.3.19
- version/php php/5.3.20
- version/php php/5.4.0
- version/php php/5.4.1
- version/php php/5.4.2
- version/php php/5.4.3
- version/php php/5.4.4
- version/php php/5.4.5
- version/php php/5.4.6
- version/php php/5.4.7
- version/php php/5.4.8
- version/php php/5.4.9
- version/php php/5.4.10
- version/php php/5.4.11
- version/php php/5.4.12
- package-manager/redhat