CVE-2012-6071

Vulnerability

nuSOAP, a PHP library for SOAP messaging, fails to properly verify the hostname of a TLS/SSL certificate when making HTTPS connections. This vulnerability affects all versions before 0.7.3-5 [1][3]. The library does not validate that the certificate's Common Name (CN) or Subject Alternative Name (SAN) matches the intended server hostname, leaving connections open to man-in-the-middle attacks.

Exploitation

An attacker with network access (e.g., on the same network segment or via DNS spoofing) can intercept HTTPS traffic from an application using nuSOAP. By presenting a valid certificate issued by a trusted CA for any domain (or a self-signed certificate if the application does not verify the CA chain), the attacker can decrypt and modify SOAP messages. No authentication or user interaction is required beyond the initial connection [1][3].

Impact

Successful exploitation allows the attacker to read sensitive data transmitted in SOAP requests and responses, such as authentication credentials, business data, or API keys. The attacker can also alter SOAP messages, potentially leading to unauthorized actions or data corruption. The compromise is at the network level, affecting the confidentiality and integrity of all SOAP communications [1][3].

Mitigation

The issue is fixed in nuSOAP version 0.7.3-5 (as packaged in Debian unstable) [3]. Users should upgrade to this version or later. For Debian Squeeze, the issue is considered minor and no DSA was issued; users are advised to upgrade to a supported release or apply the fix manually. No workaround is available other than ensuring proper certificate validation in the application code [3].