[Forgot Password]
Login  Register Subscribe

23631

 
 

115038

 
 

96174

 
 

909

 
 

78077

 
 

109

Paid content will be excluded from the download.


Download | Alert*
CVE
view XML

CVE-2016-5385

Date: (C)2016-08-25   (M)2017-10-12
 
CVSS Score: 5.1Access Vector: NETWORK
Exploitability Subscore: 4.9Access Complexity: HIGH
Impact Subscore: 6.4Authentication: NONE
 Confidentiality: PARTIAL
 Integrity: PARTIAL
 Availability: PARTIAL











PHP through 7.0.8 does not attempt to address RFC 3875 section 4.1.18 namespace conflicts and therefore does not protect applications from the presence of untrusted client data in the HTTP_PROXY environment variable, which might allow remote attackers to redirect an application's outbound HTTP traffic to an arbitrary proxy server via a crafted Proxy header in an HTTP request, as demonstrated by (1) an application that makes a getenv('HTTP_PROXY') call or (2) a CGI configuration of PHP, aka an "httpoxy" issue.

Reference:
SECTRACK-1036335
BID-91821
FEDORA-2016-4e7db3d437
FEDORA-2016-8eb11666aa
FEDORA-2016-9c8cf5912c
GLSA-201611-22
RHSA-2016:1609
RHSA-2016:1610
RHSA-2016:1611
RHSA-2016:1612
RHSA-2016:1613
VU#797896
http://www.oracle.com/technetwork/security-advisory/cpujul2017-3236622.html
http://www.oracle.com/technetwork/topics/security/linuxbulletinjul2016-3090544.html
https://bugzilla.redhat.com/show_bug.cgi?id=1353794
https://github.com/guzzle/guzzle/releases/tag/6.2.1
https://h20566.www2.hpe.com/hpsc/doc/public/display?docLocale=en_US&docId=emr_na-hpesbhf03770en_us
https://h20566.www2.hpe.com/portal/site/hpsc/public/kb/docDisplay?docId=emr_na-c05320149
https://h20566.www2.hpe.com/portal/site/hpsc/public/kb/docDisplay?docId=emr_na-c05333297
https://h20566.www2.hpe.com/portal/site/hpsc/public/kb/docDisplay?docId=emr_na-c05390722
https://httpoxy.org/
https://www.drupal.org/SA-CORE-2016-003
openSUSE-SU-2016:1922

CPE    2
cpe:/o:fedoraproject:fedora:23
cpe:/o:oracle:linux:7.0
CWE    1
CWE-284
OVAL    16
oval:org.secpod.oval:def:111138
oval:org.secpod.oval:def:111137
oval:org.secpod.oval:def:111134
oval:org.secpod.oval:def:501861
...

© 2013 SecPod Technologies