← Retour aux CVEs
CVE-2016-5385
HIGH8.1
Description
PHP through 7.0.8 does not attempt to address RFC 3875 section 4.1.18 namespace conflicts and therefore does not protect applications from the presence of untrusted client data in the HTTP_PROXY environment variable, which might allow remote attackers to redirect an application's outbound HTTP traffic to an arbitrary proxy server via a crafted Proxy header in an HTTP request, as demonstrated by (1) an application that makes a getenv('HTTP_PROXY') call or (2) a CGI configuration of PHP, aka an "httpoxy" issue.
Details CVE
Score CVSS v3.18.1
SeveriteHIGH
Vecteur CVSSCVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H
Vecteur d'attaqueNETWORK
ComplexiteHIGH
Privileges requisNONE
Interaction utilisateurNONE
Publie7/19/2016
Derniere modification4/12/2025
Sourcenvd
Observations honeypot0
Produits affectes
debian:debian_linuxdrupal:drupalfedoraproject:fedorahp:storeever_msl6480_tape_libraryhp:storeever_msl6480_tape_library_firmwarehp:system_management_homepageopensuse:leaporacle:communications_user_data_repositoryoracle:enterprise_manager_ops_centeroracle:linuxphp:phpredhat:enterprise_linux_desktopredhat:enterprise_linux_serverredhat:enterprise_linux_workstation
Faiblesses (CWE)
CWE-601
References
http://lists.opensuse.org/opensuse-updates/2016-08/msg00003.html(secalert@redhat.com)
http://rhn.redhat.com/errata/RHSA-2016-1609.html(secalert@redhat.com)
http://rhn.redhat.com/errata/RHSA-2016-1610.html(secalert@redhat.com)
http://rhn.redhat.com/errata/RHSA-2016-1611.html(secalert@redhat.com)
http://rhn.redhat.com/errata/RHSA-2016-1612.html(secalert@redhat.com)
http://rhn.redhat.com/errata/RHSA-2016-1613.html(secalert@redhat.com)
http://www.debian.org/security/2016/dsa-3631(secalert@redhat.com)
http://www.kb.cert.org/vuls/id/797896(secalert@redhat.com)
http://www.oracle.com/technetwork/security-advisory/cpujan2018-3236628.html(secalert@redhat.com)
http://www.oracle.com/technetwork/security-advisory/cpujul2017-3236622.html(secalert@redhat.com)
http://www.oracle.com/technetwork/topics/security/linuxbulletinjul2016-3090544.html(secalert@redhat.com)
http://www.securityfocus.com/bid/91821(secalert@redhat.com)
http://www.securitytracker.com/id/1036335(secalert@redhat.com)
https://bugzilla.redhat.com/show_bug.cgi?id=1353794(secalert@redhat.com)
https://github.com/guzzle/guzzle/releases/tag/6.2.1(secalert@redhat.com)
https://h20566.www2.hpe.com/hpsc/doc/public/display?docLocale=en_US&docId=emr_na-hpesbhf03770en_us(secalert@redhat.com)
https://h20566.www2.hpe.com/portal/site/hpsc/public/kb/docDisplay?docId=emr_na-c05320149(secalert@redhat.com)
https://h20566.www2.hpe.com/portal/site/hpsc/public/kb/docDisplay?docId=emr_na-c05333297(secalert@redhat.com)
https://h20566.www2.hpe.com/portal/site/hpsc/public/kb/docDisplay?docId=emr_na-c05390722(secalert@redhat.com)
https://httpoxy.org/(secalert@redhat.com)
https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/7RMYXAVNYL2MOBJTFATE73TOVOEZYC5R/(secalert@redhat.com)
https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/GXFEIMZPSVGZQQAYIQ7U7DFVX3IBSDLF/(secalert@redhat.com)
https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/KZOIUYZDBWNDDHC6XTOLZYRMRXZWTJCP/(secalert@redhat.com)
https://security.gentoo.org/glsa/201611-22(secalert@redhat.com)
https://www.drupal.org/SA-CORE-2016-003(secalert@redhat.com)
http://lists.opensuse.org/opensuse-updates/2016-08/msg00003.html(af854a3a-2127-422b-91ae-364da2661108)
http://rhn.redhat.com/errata/RHSA-2016-1609.html(af854a3a-2127-422b-91ae-364da2661108)
http://rhn.redhat.com/errata/RHSA-2016-1610.html(af854a3a-2127-422b-91ae-364da2661108)
http://rhn.redhat.com/errata/RHSA-2016-1611.html(af854a3a-2127-422b-91ae-364da2661108)
http://rhn.redhat.com/errata/RHSA-2016-1612.html(af854a3a-2127-422b-91ae-364da2661108)
http://rhn.redhat.com/errata/RHSA-2016-1613.html(af854a3a-2127-422b-91ae-364da2661108)
http://www.debian.org/security/2016/dsa-3631(af854a3a-2127-422b-91ae-364da2661108)
http://www.kb.cert.org/vuls/id/797896(af854a3a-2127-422b-91ae-364da2661108)
http://www.oracle.com/technetwork/security-advisory/cpujan2018-3236628.html(af854a3a-2127-422b-91ae-364da2661108)
http://www.oracle.com/technetwork/security-advisory/cpujul2017-3236622.html(af854a3a-2127-422b-91ae-364da2661108)
http://www.oracle.com/technetwork/topics/security/linuxbulletinjul2016-3090544.html(af854a3a-2127-422b-91ae-364da2661108)
http://www.securityfocus.com/bid/91821(af854a3a-2127-422b-91ae-364da2661108)
http://www.securitytracker.com/id/1036335(af854a3a-2127-422b-91ae-364da2661108)
https://bugzilla.redhat.com/show_bug.cgi?id=1353794(af854a3a-2127-422b-91ae-364da2661108)
https://github.com/guzzle/guzzle/releases/tag/6.2.1(af854a3a-2127-422b-91ae-364da2661108)
https://h20566.www2.hpe.com/hpsc/doc/public/display?docLocale=en_US&docId=emr_na-hpesbhf03770en_us(af854a3a-2127-422b-91ae-364da2661108)
https://h20566.www2.hpe.com/portal/site/hpsc/public/kb/docDisplay?docId=emr_na-c05320149(af854a3a-2127-422b-91ae-364da2661108)
https://h20566.www2.hpe.com/portal/site/hpsc/public/kb/docDisplay?docId=emr_na-c05333297(af854a3a-2127-422b-91ae-364da2661108)
https://h20566.www2.hpe.com/portal/site/hpsc/public/kb/docDisplay?docId=emr_na-c05390722(af854a3a-2127-422b-91ae-364da2661108)
https://httpoxy.org/(af854a3a-2127-422b-91ae-364da2661108)
https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/7RMYXAVNYL2MOBJTFATE73TOVOEZYC5R/(af854a3a-2127-422b-91ae-364da2661108)
https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/GXFEIMZPSVGZQQAYIQ7U7DFVX3IBSDLF/(af854a3a-2127-422b-91ae-364da2661108)
https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/KZOIUYZDBWNDDHC6XTOLZYRMRXZWTJCP/(af854a3a-2127-422b-91ae-364da2661108)
https://security.gentoo.org/glsa/201611-22(af854a3a-2127-422b-91ae-364da2661108)
https://www.drupal.org/SA-CORE-2016-003(af854a3a-2127-422b-91ae-364da2661108)
Correlations IOC
Aucune correlation enregistree
This product uses data from the NVD API but is not endorsed or certified by the NVD.