CVE-2017-7189

Published: Jul 10, 2019

Modified: Aug 5, 2024

PUBLISHED

Description

main/streams/xp_socket.c in PHP 7.x before 2017-03-07 misparses fsockopen calls, such as by interpreting fsockopen('127.0.0.1:80', 443) as if the address/port were 127.0.0.1:80:443, which is later truncated to 127.0.0.1:80. This behavior has a security risk if the explicitly provided port number (i.e., 443 in this example) is hardcoded into an application as a security policy, but the hostname argument (i.e., 127.0.0.1:80 in this example) is obtained from untrusted input.

Vendor	Product	Versions
n/a	n/a	affected `n/a`

References

https://github.com/php/php-src/commit/bab0b99f376dac9170ac81382a5ed526938d595a

x_refsource_MISC

https://bugs.php.net/bug.php?id=74192

x_refsource_MISC

Security Training

Train your team to recognize and prevent security threats with our comprehensive security awareness program.

Start Training

Vulnerability Scanning

Discover vulnerabilities in your applications and infrastructure before attackers do.

Scan Now

CVE-2017-7189

Description

Affected Products

References