CVE-2013-6501 - Vulnerability Details - OpenCVE

The default soap.wsdl_cache_dir setting in (1) php.ini-production and (2) php.ini-development in PHP through 5.6.7 specifies the /tmp directory, which makes it easier for local users to conduct WSDL injection attacks by creating a file under /tmp with a predictable filename that is used by the get_sdl function in ext/soap/php_sdl.c.

No CVSS v4.0

No CVSS v3.1

No CVSS v3.0

Access Vector Local

Access Complexity Low

Authentication None

Confidentiality Impact Partial

Integrity Impact Partial

Availability Impact Partial

This CVE is not in the KEV list.

Key SSVC decision points have not yet been added.

Vendors	Products
Php	Php
Suse	Linux Enterprise Server

Configuration 1 [-]

cpe:2.3:a:php:php:*:*:*:*:*:*:*:*

Configuration 2 [-]

OR	cpe:2.3:o:suse:linux_enterprise_server:11.0:sp3::::::
	cpe:2.3:o:suse:linux_enterprise_server:11.0:sp3:::vmware:::*

No data.

References

Link	Providers
http://lists.opensuse.org/opensuse-security-announce/2015-03/msg00003.html
http://www.oracle.com/technetwork/topics/security/bulletinjul2015-2511963.html
http://www.securityfocus.com/bid/72530
https://bugzilla.redhat.com/show_bug.cgi?id=1009103
https://nvd.nist.gov/vuln/detail/CVE-2013-6501
https://security.gentoo.org/glsa/201606-10
https://www.cve.org/CVERecord?id=CVE-2013-6501

History

No history.

MITRE

Status: PUBLISHED

Assigner: redhat

Published: 2015-03-30T10:00:00

Updated: 2024-08-06T17:46:22.262Z

Reserved: 2013-11-04T00:00:00

Link: CVE-2013-6501

Vulnrichment

No data.

NVD

Status : Deferred

Published: 2015-03-30T10:59:00.067

Modified: 2025-04-12T10:46:40.837

Link: CVE-2013-6501

Redhat

Severity : Low

Publid Date: 2015-02-08T00:00:00Z

Links: CVE-2013-6501 - Bugzilla

{"containers": {"cna": {"affected": [{"product": "n/a", "vendor": "n/a", "versions": [{"status": "affected", "version": "n/a"}]}], "datePublic": "2015-02-08T00:00:00", "descriptions": [{"lang": "en", "value": "The default soap.wsdl_cache_dir setting in (1) php.ini-production and (2) php.ini-development in PHP through 5.6.7 specifies the /tmp directory, which makes it easier for local users to conduct WSDL injection attacks by creating a file under /tmp with a predictable filename that is used by the get_sdl function in ext/soap/php_sdl.c."}], "problemTypes": [{"descriptions": [{"description": "n/a", "lang": "en", "type": "text"}]}], "providerMetadata": {"dateUpdated": "2016-11-28T20:57:01", "orgId": "53f830b8-0a3f-465b-8143-3b8a9948e749", "shortName": "redhat"}, "references": [{"tags": ["x_refsource_CONFIRM"], "url": "https://bugzilla.redhat.com/show_bug.cgi?id=1009103"}, {"tags": ["x_refsource_CONFIRM"], "url": "http://www.oracle.com/technetwork/topics/security/bulletinjul2015-2511963.html"}, {"name": "SUSE-SU-2015:0436", "tags": ["vendor-advisory", "x_refsource_SUSE"], "url": "http://lists.opensuse.org/opensuse-security-announce/2015-03/msg00003.html"}, {"name": "72530", "tags": ["vdb-entry", "x_refsource_BID"], "url": "http://www.securityfocus.com/bid/72530"}, {"name": "GLSA-201606-10", "tags": ["vendor-advisory", "x_refsource_GENTOO"], "url": "https://security.gentoo.org/glsa/201606-10"}]}, "adp": [{"providerMetadata": {"orgId": "af854a3a-2127-422b-91ae-364da2661108", "shortName": "CVE", "dateUpdated": "2024-08-06T17:46:22.262Z"}, "title": "CVE Program Container", "references": [{"tags": ["x_refsource_CONFIRM", "x_transferred"], "url": "https://bugzilla.redhat.com/show_bug.cgi?id=1009103"}, {"tags": ["x_refsource_CONFIRM", "x_transferred"], "url": "http://www.oracle.com/technetwork/topics/security/bulletinjul2015-2511963.html"}, {"name": "SUSE-SU-2015:0436", "tags": ["vendor-advisory", "x_refsource_SUSE", "x_transferred"], "url": "http://lists.opensuse.org/opensuse-security-announce/2015-03/msg00003.html"}, {"name": "72530", "tags": ["vdb-entry", "x_refsource_BID", "x_transferred"], "url": "http://www.securityfocus.com/bid/72530"}, {"name": "GLSA-201606-10", "tags": ["vendor-advisory", "x_refsource_GENTOO", "x_transferred"], "url": "https://security.gentoo.org/glsa/201606-10"}]}]}, "cveMetadata": {"assignerOrgId": "53f830b8-0a3f-465b-8143-3b8a9948e749", "assignerShortName": "redhat", "cveId": "CVE-2013-6501", "datePublished": "2015-03-30T10:00:00", "dateReserved": "2013-11-04T00:00:00", "dateUpdated": "2024-08-06T17:46:22.262Z", "state": "PUBLISHED"}, "dataType": "CVE_RECORD", "dataVersion": "5.1"}

{"configurations": [{"nodes": [{"cpeMatch": [{"criteria": "cpe:2.3:a:php:php:*:*:*:*:*:*:*:*", "matchCriteriaId": "EC39D70D-FA26-4EC1-9C4E-BD92043D8460", "versionEndIncluding": "5.6.7", "vulnerable": true}], "negate": false, "operator": "OR"}]}, {"nodes": [{"cpeMatch": [{"criteria": "cpe:2.3:o:suse:linux_enterprise_server:11.0:sp3:*:*:*:*:*:*", "matchCriteriaId": "01E21741-9D7D-42DD-B70D-5FD3053DE780", "vulnerable": true}, {"criteria": "cpe:2.3:o:suse:linux_enterprise_server:11.0:sp3:*:*:vmware:*:*:*", "matchCriteriaId": "46F48448-E2DE-419B-A05E-BEE60B07E12C", "vulnerable": true}], "negate": false, "operator": "OR"}]}], "cveTags": [], "descriptions": [{"lang": "en", "value": "The default soap.wsdl_cache_dir setting in (1) php.ini-production and (2) php.ini-development in PHP through 5.6.7 specifies the /tmp directory, which makes it easier for local users to conduct WSDL injection attacks by creating a file under /tmp with a predictable filename that is used by the get_sdl function in ext/soap/php_sdl.c."}, {"lang": "es", "value": "La configuraci\u00f3n por defecto soap.wsdl_cache_dir en (1) php.ini-production y (2) php.ini-development en PHP hasta 5.6.7 especifica el directorio /tmp, lo que facilita a usuarios locales realizar ataques de inyecci\u00f3n WSDL mediante la creaci\u00f3n de un fichero bajo /tmp con un nombre de fichero previsible que la funci\u00f3n get_sdl utiliza en ext/soap/php_sdl.c."}], "id": "CVE-2013-6501", "lastModified": "2025-04-12T10:46:40.837", "metrics": {"cvssMetricV2": [{"acInsufInfo": false, "baseSeverity": "MEDIUM", "cvssData": {"accessComplexity": "LOW", "accessVector": "LOCAL", "authentication": "NONE", "availabilityImpact": "PARTIAL", "baseScore": 4.6, "confidentialityImpact": "PARTIAL", "integrityImpact": "PARTIAL", "vectorString": "AV:L/AC:L/Au:N/C:P/I:P/A:P", "version": "2.0"}, "exploitabilityScore": 3.9, "impactScore": 6.4, "obtainAllPrivilege": false, "obtainOtherPrivilege": false, "obtainUserPrivilege": false, "source": "nvd@nist.gov", "type": "Primary", "userInteractionRequired": false}]}, "published": "2015-03-30T10:59:00.067", "references": [{"source": "secalert@redhat.com", "url": "http://lists.opensuse.org/opensuse-security-announce/2015-03/msg00003.html"}, {"source": "secalert@redhat.com", "url": "http://www.oracle.com/technetwork/topics/security/bulletinjul2015-2511963.html"}, {"source": "secalert@redhat.com", "url": "http://www.securityfocus.com/bid/72530"}, {"source": "secalert@redhat.com", "url": "https://bugzilla.redhat.com/show_bug.cgi?id=1009103"}, {"source": "secalert@redhat.com", "url": "https://security.gentoo.org/glsa/201606-10"}, {"source": "af854a3a-2127-422b-91ae-364da2661108", "url": "http://lists.opensuse.org/opensuse-security-announce/2015-03/msg00003.html"}, {"source": "af854a3a-2127-422b-91ae-364da2661108", "url": "http://www.oracle.com/technetwork/topics/security/bulletinjul2015-2511963.html"}, {"source": "af854a3a-2127-422b-91ae-364da2661108", "url": "http://www.securityfocus.com/bid/72530"}, {"source": "af854a3a-2127-422b-91ae-364da2661108", "url": "https://bugzilla.redhat.com/show_bug.cgi?id=1009103"}, {"source": "af854a3a-2127-422b-91ae-364da2661108", "url": "https://security.gentoo.org/glsa/201606-10"}], "sourceIdentifier": "secalert@redhat.com", "vulnStatus": "Deferred", "weaknesses": [{"description": [{"lang": "en", "value": "CWE-74"}], "source": "nvd@nist.gov", "type": "Primary"}]}

{"acknowledgement": "This issue was discovered by Michael Scherer (Red Hat).", "bugzilla": {"description": "php: predictable file name used for cache in world writeable directory", "id": "1009103", "url": "https://bugzilla.redhat.com/show_bug.cgi?id=1009103"}, "csaw": false, "cvss": {"cvss_base_score": "2.6", "cvss_scoring_vector": "AV:L/AC:H/Au:N/C:P/I:P/A:N", "status": "draft"}, "cwe": "CWE-377", "details": ["The default soap.wsdl_cache_dir setting in (1) php.ini-production and (2) php.ini-development in PHP through 5.6.7 specifies the /tmp directory, which makes it easier for local users to conduct WSDL injection attacks by creating a file under /tmp with a predictable filename that is used by the get_sdl function in ext/soap/php_sdl.c.", "It was found that the PHP WSDL extension used a file with a predictable name in a world readable directory as a cache. A local attacker could use this flaw to poison the cache using a specially crafted temporary file."], "name": "CVE-2013-6501", "package_state": [{"cpe": "cpe:/a:redhat:openshift:1", "fix_state": "Will not fix", "package_name": "php", "product_name": "OpenShift Enterprise 1"}, {"cpe": "cpe:/o:redhat:enterprise_linux:5", "fix_state": "Will not fix", "package_name": "php", "product_name": "Red Hat Enterprise Linux 5"}, {"cpe": "cpe:/o:redhat:enterprise_linux:5", "fix_state": "Will not fix", "package_name": "php53", "product_name": "Red Hat Enterprise Linux 5"}, {"cpe": "cpe:/o:redhat:enterprise_linux:6", "fix_state": "Will not fix", "package_name": "php", "product_name": "Red Hat Enterprise Linux 6"}, {"cpe": "cpe:/o:redhat:enterprise_linux:7", "fix_state": "Will not fix", "package_name": "php", "product_name": "Red Hat Enterprise Linux 7"}, {"cpe": "cpe:/a:redhat:openshift:2", "fix_state": "Will not fix", "package_name": "php", "product_name": "Red Hat OpenShift Enterprise 2"}, {"cpe": "cpe:/a:redhat:rhel_software_collections:1", "fix_state": "Will not fix", "package_name": "php54-php", "product_name": "Red Hat Software Collections"}, {"cpe": "cpe:/a:redhat:rhel_software_collections:1", "fix_state": "Not affected", "package_name": "php55-php", "product_name": "Red Hat Software Collections"}, {"cpe": "cpe:/a:redhat:rhel_software_collections:2", "fix_state": "Not affected", "package_name": "rh-php56-php", "product_name": "Red Hat Software Collections"}], "public_date": "2015-02-08T00:00:00Z", "references": ["https://www.cve.org/CVERecord?id=CVE-2013-6501\nhttps://nvd.nist.gov/vuln/detail/CVE-2013-6501"], "threat_severity": "Low"}