QwikSec

Security Database

CVE

CWE

Training

CVE Database
/

CVE-2016-5385

Back to search

CVE-2016-5385

Published: Jul 19, 2016

Modified: Aug 6, 2024

PUBLISHED

Description

PHP through 7.0.8 does not attempt to address RFC 3875 section 4.1.18 namespace conflicts and therefore does not protect applications from the presence of untrusted client data in the HTTP_PROXY environment variable, which might allow remote attackers to redirect an application's outbound HTTP traffic to an arbitrary proxy server via a crafted Proxy header in an HTTP request, as demonstrated by (1) an application that makes a getenv('HTTP_PROXY') call or (2) a CGI configuration of PHP, aka an "httpoxy" issue.

VendorProductVersions

n/a

n/a

affected
n/a

References

FEDORA-2016-8eb11666aa
vendor-advisory
x_refsource_FEDORA
VU#797896
third-party-advisory
x_refsource_CERT-VN
GLSA-201611-22
vendor-advisory
x_refsource_GENTOO
openSUSE-SU-2016:1922
vendor-advisory
x_refsource_SUSE
RHSA-2016:1613
vendor-advisory
x_refsource_REDHAT
RHSA-2016:1611
vendor-advisory
x_refsource_REDHAT
RHSA-2016:1610
vendor-advisory
x_refsource_REDHAT
DSA-3631
vendor-advisory
x_refsource_DEBIAN
91821
vdb-entry
x_refsource_BID
FEDORA-2016-4e7db3d437
vendor-advisory
x_refsource_FEDORA
RHSA-2016:1609
vendor-advisory
x_refsource_REDHAT
1036335
vdb-entry
x_refsource_SECTRACK
https://httpoxy.org/
x_refsource_MISC
RHSA-2016:1612
vendor-advisory
x_refsource_REDHAT
FEDORA-2016-9c8cf5912c
vendor-advisory
x_refsource_FEDORA

Security Training

Train your team to recognize and prevent security threats with our comprehensive security awareness program.

Start Training

Vulnerability Scanning

Discover vulnerabilities in your applications and infrastructure before attackers do.

Scan Now