CVE-2016-5385

Publication date 18 July 2016

Last updated 24 July 2024

Ubuntu priority

Cvss 3 Severity Score

PHP through 7.0.8 does not attempt to address RFC 3875 section 4.1.18 namespace conflicts and therefore does not protect applications from the presence of untrusted client data in the HTTP_PROXY environment variable, which might allow remote attackers to redirect an application's outbound HTTP traffic to an arbitrary proxy server via a crafted Proxy header in an HTTP request, as demonstrated by (1) an application that makes a getenv('HTTP_PROXY') call or (2) a CGI configuration of PHP, aka an "httpoxy" issue.

Status

Show unmaintained releases

Package	Ubuntu Release	Status
php5	16.04 LTS xenial	Not in release
	15.10 wily	Ignored end of life
	14.04 LTS trusty	Fixed 5.5.9+dfsg-1ubuntu4.19
	12.04 LTS precise	Fixed 5.3.10-1ubuntu3.24
php7.0	16.04 LTS xenial	Fixed 7.0.8-0ubuntu0.16.04.2
	15.10 wily	Not in release
	14.04 LTS trusty	Not in release
	12.04 LTS precise	Not in release

Patch details

For informational purposes only. We recommend not to cherry-pick updates. How can I get the fixes?

Package	Patch details
php5	Upstream: http://git.php.net/?p=php-src.git;a=commit;h=98b9dfaec95e6f910f125ed172cdbd25abd006ec Upstream: http://git.php.net/?p=php-src.git;a=commit;h=9ebc96116b609cd3c969c2d5a460aaa904c2afec
php7.0	Upstream: http://git.php.net/?p=php-src.git;a=commit;h=98b9dfaec95e6f910f125ed172cdbd25abd006ec Upstream: http://git.php.net/?p=php-src.git;a=commit;h=9ebc96116b609cd3c969c2d5a460aaa904c2afec Upstream: http://git.php.net/?p=php-src.git;a=commit;h=b00f8f2a5bae651d6375ca34c676963f1f25ee5a

Severity score breakdown

Parameter	Value
Base score	8.1 · High
Attack vector	Network
Attack complexity	High
Privileges required	None
User interaction	None
Scope	Unchanged
Confidentiality	High
Integrity impact	High
Availability impact	High
Vector	CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H

References

Related Ubuntu Security Notices (USN)

USN-3045-1
PHP vulnerabilities
2 August 2016