Arbitrary file disclosure vulnerability in PHP via SOAP WSDL fileID: oval:org.secpod.oval:def:15484 | Date: (C)2013-09-20 (M)2023-02-20 |
Class: VULNERABILITY | Family: macos |
The host is installed with Apple Mac OS X 10.6 through 10.6.8 or Mac OS X Lion 10.7 through 10.7.5, Mac OS X Mountain Lion 10.8 through 10.8.4 and is prone to arbitrary file disclosure vulnerability. The flaw is present in the the SOAP parser in PHP before 5.3.22 and 5.4.x before 5.4.12, which fails to handle a SOAP WSDL file containing an XML external entity declaration in conjunction with an entity reference, related to an XML External Entity (XXE) issue in the soap_xmlParseFile and soap_xmlParseMemory functions. Successful exploitation allows remote attackers to read arbitrary files.
Platform: |
Apple Mac OS X 10.6 |
Apple Mac OS X Server 10.6 |
Apple Mac OS X 10.7 |
Apple Mac OS X Server 10.7 |
Apple Mac OS X 10.8 |
Apple Mac OS X Server 10.8 |