Your submission was sent successfully! Close

CVE-2016-10397

Published: 10 July 2017

In PHP before 5.6.28 and 7.x before 7.0.13, incorrect handling of various URI components in the URL parser could be used by attackers to bypass hostname-specific URL checks, as demonstrated by evil.example.com:80#@good.example.com/ and evil.example.com:80?@good.example.com/ inputs to the parse_url function (implemented in the php_url_parse_ex function in ext/standard/url.c).

Notes

AuthorNote
sbeattie
PEAR issues should go against php-pear as of xenial
Priority

Medium

CVSS 3 base score: 7.5

Status

Package Release Status
php5
Launchpad, Ubuntu, Debian
artful Does not exist

precise
Released (5.3.10-1ubuntu3.28)
trusty
Released (5.5.9+dfsg-1ubuntu4.22)
upstream
Released (5.6.28)
xenial Does not exist

yakkety Does not exist

zesty Does not exist

Patches:
upstream: http://git.php.net/?p=php-src.git;a=commit;h=b061fa909de77085d3822a89ab901b934d0362c4
upstream: http://git.php.net/?p=php-src.git;a=commit;h=2d19c92fc2f14aa97db9094eaa0b67d1c3b12409 (regression?)
php7.0
Launchpad, Ubuntu, Debian
artful Does not exist

precise Does not exist

trusty Does not exist

upstream
Released (7.0.13)
xenial Not vulnerable
(7.0.18-0ubuntu0.16.04.1)
yakkety Ignored
(reached end-of-life)
zesty Not vulnerable
(7.0.18-0ubuntu0.16.04.1)
php7.1
Launchpad, Ubuntu, Debian
artful Not vulnerable
(7.1.6-2ubuntu1)
precise Does not exist

trusty Does not exist

upstream Needs triage

xenial Does not exist

yakkety Does not exist

zesty Does not exist