CVE-2016-5385

Published: 18 July 2016

PHP through 7.0.8 does not attempt to address RFC 3875 section 4.1.18 namespace conflicts and therefore does not protect applications from the presence of untrusted client data in the HTTP_PROXY environment variable, which might allow remote attackers to redirect an application's outbound HTTP traffic to an arbitrary proxy server via a crafted Proxy header in an HTTP request, as demonstrated by (1) an application that makes a getenv('HTTP_PROXY') call or (2) a CGI configuration of PHP, aka an "httpoxy" issue.

Priority

Medium

CVSS 3 base score: 8.1

Status

Package Release Status
php5
Launchpad, Ubuntu, Debian
Upstream Needs triage

Ubuntu 16.04 ESM (Xenial Xerus) Does not exist

Ubuntu 14.04 ESM (Trusty Tahr)
Released (5.5.9+dfsg-1ubuntu4.19)
Patches:
Upstream: http://git.php.net/?p=php-src.git;a=commit;h=98b9dfaec95e6f910f125ed172cdbd25abd006ec
Upstream: http://git.php.net/?p=php-src.git;a=commit;h=9ebc96116b609cd3c969c2d5a460aaa904c2afec
php7.0
Launchpad, Ubuntu, Debian
Upstream
Released (7.0.9)
Ubuntu 16.04 ESM (Xenial Xerus)
Released (7.0.8-0ubuntu0.16.04.2)
Ubuntu 14.04 ESM (Trusty Tahr) Does not exist

Patches:
Upstream: http://git.php.net/?p=php-src.git;a=commit;h=98b9dfaec95e6f910f125ed172cdbd25abd006ec
Upstream: http://git.php.net/?p=php-src.git;a=commit;h=9ebc96116b609cd3c969c2d5a460aaa904c2afec
Upstream: http://git.php.net/?p=php-src.git;a=commit;h=b00f8f2a5bae651d6375ca34c676963f1f25ee5a