CVE-2013-1643: Infoleak
First published: Tue Mar 05 2013(Updated: )
A security flaw was found in the way SOAP parser of PHP processed certain SOAP objects (due to allowed expansion of XML external entities during SOAP WSDL files parsing, it was previously possible to read arbitrary system files, accessible with the privileges of the PHP application). If a PHP application accepted untrusted SOAP object input remotely from clients, an attacker could use this flaw for unauthorized of read system files (accesible with the privileges of the PHP application). References: [1] <a href="http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=702221">http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=702221</a> [2] <a href="https://bugs.gentoo.org/show_bug.cgi?id=459904">https://bugs.gentoo.org/show_bug.cgi?id=459904</a> [3] <a href="http://www.mandriva.com/en/support/security/advisories/advisory/MDVSA-2013:016/">http://www.mandriva.com/en/support/security/advisories/advisory/MDVSA-2013:016/</a> Relevant upstream patch: [4] <a href="http://git.php.net/?p=php-src.git;a=commitdiff;h=c737b89473df9dba6742b8fc8fbf6d009bf05c36">http://git.php.net/?p=php-src.git;a=commitdiff;h=c737b89473df9dba6742b8fc8fbf6d009bf05c36</a>
Credit: cve@mitre.org
| Affected Software | Affected Version | How to fix |
|---|---|---|
| redhat/php | <5.3.23 | 5.3.23 |
| redhat/php | <5.4.13 | 5.4.13 |
| PHP | <=5.3.21 | |
| PHP | =1.0 | |
| PHP | =2.0 | |
| PHP | =2.0b10 | |
| PHP | =3.0 | |
| PHP | =3.0.1 | |
| PHP | =3.0.2 | |
| PHP | =3.0.3 | |
| PHP | =3.0.4 | |
| PHP | =3.0.5 | |
| PHP | =3.0.6 | |
| PHP | =3.0.7 | |
| PHP | =3.0.8 | |
| PHP | =3.0.9 | |
| PHP | =3.0.10 | |
| PHP | =3.0.11 | |
| PHP | =3.0.12 | |
| PHP | =3.0.13 | |
| PHP | =3.0.14 | |
| PHP | =3.0.15 | |
| PHP | =3.0.16 | |
| PHP | =3.0.17 | |
| PHP | =3.0.18 | |
| PHP | =4.0-beta_4_patch1 | |
| PHP | =4.0-beta1 | |
| PHP | =4.0-beta2 | |
| PHP | =4.0-beta3 | |
| PHP | =4.0-beta4 | |
| PHP | =4.0.0 | |
| PHP | =4.0.1 | |
| PHP | =4.0.2 | |
| PHP | =4.0.3 | |
| PHP | =4.0.4 | |
| PHP | =4.0.5 | |
| PHP | =4.0.6 | |
| PHP | =4.0.7 | |
| PHP | =4.1.0 | |
| PHP | =4.1.1 | |
| PHP | =4.1.2 | |
| PHP | =4.2.0 | |
| PHP | =4.2.1 | |
| PHP | =4.2.2 | |
| PHP | =4.2.3 | |
| PHP | =4.3.0 | |
| PHP | =4.3.1 | |
| PHP | =4.3.2 | |
| PHP | =4.3.3 | |
| PHP | =4.3.4 | |
| PHP | =4.3.5 | |
| PHP | =4.3.6 | |
| PHP | =4.3.7 | |
| PHP | =4.3.8 | |
| PHP | =4.3.9 | |
| PHP | =4.3.10 | |
| PHP | =4.3.11 | |
| PHP | =4.4.0 | |
| PHP | =4.4.1 | |
| PHP | =4.4.2 | |
| PHP | =4.4.3 | |
| PHP | =4.4.4 | |
| PHP | =4.4.5 | |
| PHP | =4.4.6 | |
| PHP | =4.4.7 | |
| PHP | =4.4.8 | |
| PHP | =4.4.9 | |
| PHP | =5.0.0 | |
| PHP | =5.0.0-beta1 | |
| PHP | =5.0.0-beta2 | |
| PHP | =5.0.0-beta3 | |
| PHP | =5.0.0-beta4 | |
| PHP | =5.0.0-rc1 | |
| PHP | =5.0.0-rc2 | |
| PHP | =5.0.0-rc3 | |
| PHP | =5.0.1 | |
| PHP | =5.0.2 | |
| PHP | =5.0.3 | |
| PHP | =5.0.4 | |
| PHP | =5.0.5 | |
| PHP | =5.1.0 | |
| PHP | =5.1.1 | |
| PHP | =5.1.2 | |
| PHP | =5.1.3 | |
| PHP | =5.1.4 | |
| PHP | =5.1.5 | |
| PHP | =5.1.6 | |
| PHP | =5.2.0 | |
| PHP | =5.2.1 | |
| PHP | =5.2.2 | |
| PHP | =5.2.3 | |
| PHP | =5.2.4 | |
| PHP | =5.2.5 | |
| PHP | =5.2.6 | |
| PHP | =5.2.7 | |
| PHP | =5.2.8 | |
| PHP | =5.2.9 | |
| PHP | =5.2.10 | |
| PHP | =5.2.11 | |
| PHP | =5.2.12 | |
| PHP | =5.2.13 | |
| PHP | =5.2.14 | |
| PHP | =5.2.15 | |
| PHP | =5.2.16 | |
| PHP | =5.2.17 | |
| PHP | =5.3.0 | |
| PHP | =5.3.1 | |
| PHP | =5.3.2 | |
| PHP | =5.3.3 | |
| PHP | =5.3.4 | |
| PHP | =5.3.5 | |
| PHP | =5.3.6 | |
| PHP | =5.3.7 | |
| PHP | =5.3.8 | |
| PHP | =5.3.9 | |
| PHP | =5.3.10 | |
| PHP | =5.3.11 | |
| PHP | =5.3.12 | |
| PHP | =5.3.13 | |
| PHP | =5.3.14 | |
| PHP | =5.3.15 | |
| PHP | =5.3.16 | |
| PHP | =5.3.17 | |
| PHP | =5.3.18 | |
| PHP | =5.3.19 | |
| PHP | =5.3.20 | |
| PHP | =5.4.0 | |
| PHP | =5.4.1 | |
| PHP | =5.4.2 | |
| PHP | =5.4.3 | |
| PHP | =5.4.4 | |
| PHP | =5.4.5 | |
| PHP | =5.4.6 | |
| PHP | =5.4.7 | |
| PHP | =5.4.8 | |
| PHP | =5.4.9 | |
| PHP | =5.4.10 | |
| PHP | =5.4.11 | |
| PHP | =5.4.12 |
Never miss a vulnerability like this again
Sign up to SecAlerts for real-time vulnerability data matched to your software, aggregated from hundreds of sources.
Reference Links
- http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=702221
- https://bugs.gentoo.org/show_bug.cgi?id=459904
- http://www.mandriva.com/en/support/security/advisories/advisory/MDVSA-2013:016/
- http://git.php.net/?p=php-src.git;a=commitdiff;h=c737b89473df9dba6742b8fc8fbf6d009bf05c36
- http://git.php.net/?p=php-src.git;a=blob;f=NEWS;h=36f6f9a4396d3034cc903a4271e7fdeccc5d3ea6;hb=refs/heads/PHP-5.4
- http://git.php.net/?p=php-src.git;a=blob;f=NEWS;h=82afa3a040e639f3595121e45b850d5453906a00;hb=refs/heads/PHP-5.3
- https://access.redhat.com/security/cve/CVE-2013-1824
- http://git.php.net/?p=php-src.git;a=commitdiff;h=afe98b7829d50806559acac9b530acb8283c3bf4
- http://git.php.net/?p=php-src.git;a=commitdiff;h=188c196d4da60bdde9190d2fc532650d17f7af2d
- http://git.php.net/?p=php-src.git;a=commitdiff;h=8e76d0404b7f664ee6719fd98f0483f0ac4669d6
- http://git.php.net/?p=php-src.git;a=commitdiff;h=fcd4b5335a6df4e0676ee32e2267ca71d70fe623
- https://rhn.redhat.com/errata/RHSA-2013-1307.html
- https://rhn.redhat.com/errata/RHSA-2013-1615.html
- https://rhn.redhat.com/errata/RHSA-2013-1814.html
- https://bugzilla.redhat.com/show_bug.cgi?id=918187
- http://git.php.net/?p=php-src.git;a=commit;h=8e76d0404b7f664ee6719fd98f0483f0ac4669d6
- http://lists.apple.com/archives/security-announce/2013/Sep/msg00002.html
- http://lists.opensuse.org/opensuse-security-announce/2013-07/msg00034.html
- http://lists.opensuse.org/opensuse-security-announce/2013-08/msg00006.html
- http://rhn.redhat.com/errata/RHSA-2013-1307.html
- http://rhn.redhat.com/errata/RHSA-2013-1615.html
- http://secunia.com/advisories/55078
- http://support.apple.com/kb/HT5880
- http://www.debian.org/security/2013/dsa-2639
- http://www.mandriva.com/security/advisories?name=MDVSA-2013:114
- http://www.php.net/ChangeLog-5.php
- http://www.ubuntu.com/usn/USN-1761-1
- https://wiki.mageia.org/en/Support/Advisories/MGASA-2013-0101
- http://git.php.net/?p=php-src.git%3Ba=commit%3Bh=8e76d0404b7f664ee6719fd98f0483f0ac4669d6
Frequently Asked Questions
What is the severity of CVE-2013-1643?
The severity of CVE-2013-1643 is considered high due to its potential to allow unauthorized file access.
How do I fix CVE-2013-1643?
To fix CVE-2013-1643, upgrade PHP to version 5.3.23 or 5.4.13 or later.
Which versions of PHP are affected by CVE-2013-1643?
CVE-2013-1643 affects PHP versions up to and including 5.3.21 and 5.4.12.
What vulnerabilities can CVE-2013-1643 exploit?
CVE-2013-1643 can exploit vulnerabilities in the SOAP parser to read arbitrary system files.
Is CVE-2013-1643 remote code execution vulnerability?
CVE-2013-1643 is not a remote code execution vulnerability but allows file access on the server.
- agent/type
- agent/softwarecombine
- agent/first-publish-date
- collector/mitre-cve
- source/MITRE
- agent/last-modified-date
- agent/severity
- agent/author
- agent/weakness
- agent/references
- agent/event
- agent/description
- collector/redhat-bugzilla
- source/Red Hat
- alias/CVE-2013-1643
- agent/software-canonical-lookup
- agent/trending
- agent/source
- agent/tags
- collector/nvd-index
- agent/software-canonical-lookup-request
- package-manager/redhat
- vendor/php
- canonical/php
- version/php/5.3.21
- version/php/1.0
- version/php/2.0
- version/php/2.0b10
- version/php/3.0
- version/php/3.0.1
- version/php/3.0.2
- version/php/3.0.3
- version/php/3.0.4
- version/php/3.0.5
- version/php/3.0.6
- version/php/3.0.7
- version/php/3.0.8
- version/php/3.0.9
- version/php/3.0.10
- version/php/3.0.11
- version/php/3.0.12
- version/php/3.0.13
- version/php/3.0.14
- version/php/3.0.15
- version/php/3.0.16
- version/php/3.0.17
- version/php/3.0.18
- version/php/4.0-beta_4_patch1
- version/php/4.0-beta1
- version/php/4.0-beta2
- version/php/4.0-beta3
- version/php/4.0-beta4
- version/php/4.0.0
- version/php/4.0.1
- version/php/4.0.2
- version/php/4.0.3
- version/php/4.0.4
- version/php/4.0.5
- version/php/4.0.6
- version/php/4.0.7
- version/php/4.1.0
- version/php/4.1.1
- version/php/4.1.2
- version/php/4.2.0
- version/php/4.2.1
- version/php/4.2.2
- version/php/4.2.3
- version/php/4.3.0
- version/php/4.3.1
- version/php/4.3.2
- version/php/4.3.3
- version/php/4.3.4
- version/php/4.3.5
- version/php/4.3.6
- version/php/4.3.7
- version/php/4.3.8
- version/php/4.3.9
- version/php/4.3.10
- version/php/4.3.11
- version/php/4.4.0
- version/php/4.4.1
- version/php/4.4.2
- version/php/4.4.3
- version/php/4.4.4
- version/php/4.4.5
- version/php/4.4.6
- version/php/4.4.7
- version/php/4.4.8
- version/php/4.4.9
- version/php/5.0.0
- version/php/5.0.0-beta1
- version/php/5.0.0-beta2
- version/php/5.0.0-beta3
- version/php/5.0.0-beta4
- version/php/5.0.0-rc1
- version/php/5.0.0-rc2
- version/php/5.0.0-rc3
- version/php/5.0.1
- version/php/5.0.2
- version/php/5.0.3
- version/php/5.0.4
- version/php/5.0.5
- version/php/5.1.0
- version/php/5.1.1
- version/php/5.1.2
- version/php/5.1.3
- version/php/5.1.4
- version/php/5.1.5
- version/php/5.1.6
- version/php/5.2.0
- version/php/5.2.1
- version/php/5.2.2
- version/php/5.2.3
- version/php/5.2.4
- version/php/5.2.5
- version/php/5.2.6
- version/php/5.2.7
- version/php/5.2.8
- version/php/5.2.9
- version/php/5.2.10
- version/php/5.2.11
- version/php/5.2.12
- version/php/5.2.13
- version/php/5.2.14
- version/php/5.2.15
- version/php/5.2.16
- version/php/5.2.17
- version/php/5.3.0
- version/php/5.3.1
- version/php/5.3.2
- version/php/5.3.3
- version/php/5.3.4
- version/php/5.3.5
- version/php/5.3.6
- version/php/5.3.7
- version/php/5.3.8
- version/php/5.3.9
- version/php/5.3.10
- version/php/5.3.11
- version/php/5.3.12
- version/php/5.3.13
- version/php/5.3.14
- version/php/5.3.15
- version/php/5.3.16
- version/php/5.3.17
- version/php/5.3.18
- version/php/5.3.19
- version/php/5.3.20
- version/php/5.4.0
- version/php/5.4.1
- version/php/5.4.2
- version/php/5.4.3
- version/php/5.4.4
- version/php/5.4.5
- version/php/5.4.6
- version/php/5.4.7
- version/php/5.4.8
- version/php/5.4.9
- version/php/5.4.10
- version/php/5.4.11
- version/php/5.4.12