When using a directory different to /tmp which directory name starts with tmp,
iniscan issues a false positive:
[...]
soap.wsdl_cache_dir="/temp-php-wsdl"
[...]
Without the directory present:
[...]
FAIL | WARNING | | | soap.wsdl_cache_dir | The SOAP WSDL cache directory did not resolve to a valid directory
[...]
With the directory present:
[...]
FAIL | WARNING | | | soap.wsdl_cache_dir | The SOAP WSDL cache directory is inside of "/tmp/" which allows local users to conduct WSDL injection attacks (CVE-2013-6501)
[...]
Using a directory which directory name does not start with /tmp[...]:
[...]
soap.wsdl_cache_dir="/temp-php-wsdl"
[...]
Directory has been ensured being present, this iniscan passes then:
[...]
PASS | WARNING | | | soap.wsdl_cache_dir | Security checks for CVE-2013-1635 and CVE-2013-6501
[...]
spelcaster
commented
7 years ago
When using a directory different to /tmp which directory name starts with tmp, iniscan issues a false positive:
Without the directory present:
With the directory present:
Using a directory which directory name does not start with /tmp[...]:
Directory has been ensured being present, this iniscan passes then: