PHP - (bulletinjul2017)ID: oval:org.secpod.oval:def:2101298 | Date: (C)2019-12-30 (M)2024-05-22 |
Class: PATCH | Family: unix |
PHP through 7.0.8 does not attempt to address RFC 3875 section 4.1.18 namespace conflicts and therefore does not protect applications from the presence of untrusted client data in the HTTP_PROXY environment variable, which might allow remote attackers to redirect an application"s outbound HTTP traffic to an arbitrary proxy server via a crafted Proxy header in an HTTP request, as demonstrated by (1) an application that makes a getenv("HTTP_PROXY") call or (2) a CGI configuration of PHP, aka an "httpoxy" issue.
Product: |
web/php-56 |
web/php-56/extension/php-xdebug |
web/php-56/extension/php-suhosin-extension |