[Forgot Password]
Login  Register Subscribe

23631

 
 

117687

 
 

98503

 
 

909

 
 

79281

 
 

109

Paid content will be excluded from the download.


Download | Alert*
CVE
view XML

CVE-2016-5385

Date: (C)2016-08-25   (M)2017-11-18 


PHP through 7.0.8 does not attempt to address RFC 3875 section 4.1.18 namespace conflicts and therefore does not protect applications from the presence of untrusted client data in the HTTP_PROXY environment variable, which might allow remote attackers to redirect an application's outbound HTTP traffic to an arbitrary proxy server via a crafted Proxy header in an HTTP request, as demonstrated by (1) an application that makes a getenv('HTTP_PROXY') call or (2) a CGI configuration of PHP, aka an "httpoxy" issue.

CVSS Score: 5.1Access Vector: NETWORK
Exploit Score: 4.9Access Complexity: HIGH
Impact Score: 6.4Authentication: NONE
 Confidentiality: PARTIAL
 Integrity: PARTIAL
 Availability: PARTIAL





Reference:
SECTRACK-1036335
BID-91821
DSA-3631
FEDORA-2016-4e7db3d437
FEDORA-2016-8eb11666aa
FEDORA-2016-9c8cf5912c
GLSA-201611-22
RHSA-2016:1609
RHSA-2016:1610
RHSA-2016:1611
RHSA-2016:1612
RHSA-2016:1613
VU#797896
http://www.oracle.com/technetwork/security-advisory/cpujul2017-3236622.html
http://www.oracle.com/technetwork/topics/security/linuxbulletinjul2016-3090544.html
https://bugzilla.redhat.com/show_bug.cgi?id=1353794
https://github.com/guzzle/guzzle/releases/tag/6.2.1
https://h20566.www2.hpe.com/hpsc/doc/public/display?docLocale=en_US&docId=emr_na-hpesbhf03770en_us
https://h20566.www2.hpe.com/portal/site/hpsc/public/kb/docDisplay?docId=emr_na-c05320149
https://h20566.www2.hpe.com/portal/site/hpsc/public/kb/docDisplay?docId=emr_na-c05333297
https://h20566.www2.hpe.com/portal/site/hpsc/public/kb/docDisplay?docId=emr_na-c05390722
https://httpoxy.org/
https://www.drupal.org/SA-CORE-2016-003
openSUSE-SU-2016:1922

CPE    2
cpe:/o:oracle:linux:7.0
cpe:/o:fedoraproject:fedora:23
CWE    1
CWE-284
OVAL    16
oval:org.secpod.oval:def:111138
oval:org.secpod.oval:def:111137
oval:org.secpod.oval:def:111134
oval:org.secpod.oval:def:501861
...

© 2013 SecPod Technologies