virus logo Web Application Security

Red.Hat.Update.for.PHP.RHSA-2013-1814

description-logoDescription

PHP is a scripting language available multiple platforms. It is popular in web application development.
There are few vulnerabilities identified in the application.
The sapi_header_op function in main/SAPI.c in PHP before 5.3.11 and 5.4.x before 5.4.0RC2 does not check for %0D sequences (aka carriage return characters), which allows remote attackers to bypass an HTTP response-splitting protection mechanism via a crafted URL, related to improper interaction between the PHP header function and certain browsers, as demonstrated by Internet Explorer and Google Chrome. (CVE-2011-1398)
Unspecified vulnerability in the _php_stream_scandir function in the stream implementation in PHP before 5.3.15 and 5.4.x before 5.4.5 has unknown impact and remote attack vectors, related to an \"overflow.\" (CVE-2012-2688)
The SOAP parser in PHP before 5.3.23 and 5.4.x before 5.4.13 allows remote attackers to read arbitrary files via a SOAP WSDL file containing an XML external entity declaration in conjunction with an entity reference, related to an XML External Entity (XXE) issue in the soap_xmlParseFile and soap_xmlParseMemory functions. NOTE: this vulnerability exists because of an incorrect fix for CVE-2013-1824. (CVE-2013-1643)
The asn1_time_to_time_t function in ext/openssl/openssl.c in PHP before 5.3.28, 5.4.x before 5.4.23, and 5.5.x before 5.5.7 does not properly parse (1) notBefore and (2) notAfter timestamps in X.509 certificates, which allows remote attackers to execute arbitrary code or cause a denial of service (memory corruption) via a crafted certificate that is not properly handled by the openssl_x509_parse function. (CVE-2013-6420)
RedHat addressed these issue in its security advisory http://rhn.redhat.com/errata/RHSA-2013-1814.html

affected-products-logoAffected Products

RedHat 5

Impact logoImpact

The vulnerable system can be compromised by a remote attacker to retrieve content or modify application setting on the system. Therefore there is a risk of creating a denial of service scenario, exposing sensitive information or executing arbitrary code.

recomended-action-logoRecommended Actions

Please download and apply patches as instructed in http://rhn.redhat.com/errata/RHSA-2013-1814.html.

Version Updates

Date Version Detail
2022-08-30 0.00327

CVE References

CVE-2012-2688
ID 1090501558
Created Aug 31, 2022
Updated Aug 31, 2022
Risk black-background-circle-icon black-background-circle-icon black-background-circle-icon black-background-circle-icon black-background-circle-icon
Default Action pass
Active
Affected OS null
Affected App null
Engine Version 5.0.1 or later