CVE-2016-10397
Published: 10 July 2017
In PHP before 5.6.28 and 7.x before 7.0.13, incorrect handling of various URI components in the URL parser could be used by attackers to bypass hostname-specific URL checks, as demonstrated by evil.example.com:80#@good.example.com/ and evil.example.com:80?@good.example.com/ inputs to the parse_url function (implemented in the php_url_parse_ex function in ext/standard/url.c).
Notes
Author | Note |
---|---|
sbeattie | PEAR issues should go against php-pear as of xenial |
Priority
CVSS 3 base score: 7.5
Status
Package | Release | Status |
---|---|---|
php5 Launchpad, Ubuntu, Debian |
artful |
Does not exist
|
precise |
Released
(5.3.10-1ubuntu3.28)
|
|
trusty |
Released
(5.5.9+dfsg-1ubuntu4.22)
|
|
upstream |
Released
(5.6.28)
|
|
xenial |
Does not exist
|
|
yakkety |
Does not exist
|
|
zesty |
Does not exist
|
|
Patches: upstream: http://git.php.net/?p=php-src.git;a=commit;h=b061fa909de77085d3822a89ab901b934d0362c4 upstream: http://git.php.net/?p=php-src.git;a=commit;h=2d19c92fc2f14aa97db9094eaa0b67d1c3b12409 (regression?) |
||
php7.0 Launchpad, Ubuntu, Debian |
artful |
Does not exist
|
precise |
Does not exist
|
|
trusty |
Does not exist
|
|
upstream |
Released
(7.0.13)
|
|
xenial |
Not vulnerable
(7.0.18-0ubuntu0.16.04.1)
|
|
yakkety |
Ignored
(reached end-of-life)
|
|
zesty |
Not vulnerable
(7.0.18-0ubuntu0.16.04.1)
|
|
php7.1 Launchpad, Ubuntu, Debian |
artful |
Not vulnerable
(7.1.6-2ubuntu1)
|
precise |
Does not exist
|
|
trusty |
Does not exist
|
|
upstream |
Needs triage
|
|
xenial |
Does not exist
|
|
yakkety |
Does not exist
|
|
zesty |
Does not exist
|
References
- https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-10397
- http://openwall.com/lists/oss-security/2017/07/10/6
- http://php.net/ChangeLog-5.php
- http://php.net/ChangeLog-7.php
- https://ubuntu.com/security/notices/USN-3382-1
- https://ubuntu.com/security/notices/USN-3382-2
- NVD
- Launchpad
- Debian