CVE-2016-5385
- Source
- https://cve.org/CVERecord?id=CVE-2016-5385
- Import Source
- https://storage.googleapis.com/cve-osv-conversion/osv-output/CVE-2016-5385.json
- JSON Data
- https://api.osv.dev/v1/vulns/CVE-2016-5385
- Aliases
- Downstream
- Related
- Published
- 2016-07-19T02:00:17.773Z
- Modified
- 2026-03-15T22:26:30.453580Z
- Severity
-
- 8.1 (High) CVSS_V3 - CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H CVSS Calculator
- Summary
- [none]
- Details
-
PHP through 7.0.8 does not attempt to address RFC 3875 section 4.1.18 namespace conflicts and therefore does not protect applications from the presence of untrusted client data in the HTTPPROXY environment variable, which might allow remote attackers to redirect an application's outbound HTTP traffic to an arbitrary proxy server via a crafted Proxy header in an HTTP request, as demonstrated by (1) an application that makes a getenv('HTTPPROXY') call or (2) a CGI configuration of PHP, aka an "httpoxy" issue.
- References
-
- https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/7RMYXAVNYL2MOBJTFATE73TOVOEZYC5R/
- https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/GXFEIMZPSVGZQQAYIQ7U7DFVX3IBSDLF/
- https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/KZOIUYZDBWNDDHC6XTOLZYRMRXZWTJCP/
- https://security.gentoo.org/glsa/201611-22
- http://www.securityfocus.com/bid/91821
- http://rhn.redhat.com/errata/RHSA-2016-1612.html
- http://rhn.redhat.com/errata/RHSA-2016-1613.html
- https://h20566.www2.hpe.com/portal/site/hpsc/public/kb/docDisplay?docId=emr_na-c05333297
- https://www.drupal.org/SA-CORE-2016-003
- http://rhn.redhat.com/errata/RHSA-2016-1609.html
- http://rhn.redhat.com/errata/RHSA-2016-1610.html
- https://github.com/guzzle/guzzle/releases/tag/6.2.1
- https://h20566.www2.hpe.com/portal/site/hpsc/public/kb/docDisplay?docId=emr_na-c05320149
- http://lists.opensuse.org/opensuse-updates/2016-08/msg00003.html
- http://rhn.redhat.com/errata/RHSA-2016-1611.html
- http://www.debian.org/security/2016/dsa-3631
- http://www.oracle.com/technetwork/topics/security/linuxbulletinjul2016-3090544.html
- https://httpoxy.org/
- http://www.kb.cert.org/vuls/id/797896
- http://www.securitytracker.com/id/1036335
- https://h20566.www2.hpe.com/hpsc/doc/public/display?docLocale=en_US&docId=emr_na-hpesbhf03770en_us
- https://h20566.www2.hpe.com/portal/site/hpsc/public/kb/docDisplay?docId=emr_na-c05390722
- https://bugzilla.redhat.com/show_bug.cgi?id=1353794
- http://www.oracle.com/technetwork/security-advisory/cpujan2018-3236628.html
- http://www.oracle.com/technetwork/security-advisory/cpujul2017-3236622.html
Affected packages
Git / github.com/drupal/drupal
Affected ranges
- Type
- GIT
- Repo
- https://github.com/drupal/drupal
- Events
-
Introduced0 Unknown introduced commit / All previous commits are affectedLast affectedIntroduced0 Unknown introduced commit / All previous commits are affectedLast affected
- Database specific
{ "versions": [ { "introduced": "0" }, { "last_affected": "10.0.0" }, { "introduced": "0" }, { "last_affected": "10.0.1" } ] }
- Type
- GIT
- Repo
- https://github.com/guzzle/guzzle
- Events
-
Introduced0 Unknown introduced commit / All previous commits are affectedLast affectedIntroduced0 Unknown introduced commit / All previous commits are affectedLast affectedIntroduced0 Unknown introduced commit / All previous commits are affectedLast affectedFixed
- Database specific
{ "versions": [ { "introduced": "0" }, { "last_affected": "6.0" }, { "introduced": "0" }, { "last_affected": "6.0" }, { "introduced": "0" }, { "last_affected": "6.0" } ] }
- Type
- GIT
- Repo
- https://github.com/php/php-src
- Events
-
Introduced0 Unknown introduced commit / All previous commits are affectedLast affectedIntroduced0 Unknown introduced commit / All previous commits are affectedLast affectedIntroducedFixedIntroducedFixedIntroducedLast affectedIntroduced0 Unknown introduced commit / All previous commits are affectedLast affectedIntroducedFixed
- Database specific
{ "versions": [ { "introduced": "0" }, { "last_affected": "6-NA" }, { "introduced": "0" }, { "last_affected": "7-NA" }, { "introduced": "5.5.0" }, { "fixed": "5.5.38" }, { "introduced": "5.6.0" }, { "fixed": "5.6.24" }, { "introduced": "7.0.0" }, { "last_affected": "7.0.8" }, { "introduced": "0" }, { "last_affected": "8.0" }, { "introduced": "8.0.0" }, { "fixed": "8.1.7" } ] }
Affected versions
1.*
1.0
10.*
10.0.0
10.0.0-alpha1
10.0.0-alpha3
10.0.0-alpha4
10.0.0-alpha5
10.0.0-alpha6
10.0.0-alpha7
10.0.0-beta1
10.0.0-beta2
10.0.0-rc1
10.0.0-rc2
10.0.0-rc3
2.*
2.0
3.*
3.0.1
4.*
4.0.0
4.0.0-rc.1
4.0.0-rc.2
4.0.1
4.0.2
4.1.0
4.1.1
4.1.2
4.1.3
4.1.4
4.1.5
4.1.6
4.1.7
4.1.8
4.2.0
4.2.1
4.2.2
4.2.3
5.*
5.0-beta-1
5.0-beta-2
5.0-rc-1
5.0-rc-2
5.0.0
5.0.1
5.0.2
5.0.3
5.1.0
5.2.0
5.3.0
6.*
6.0-beta-1
6.0-beta-2
6.0-beta-3
6.0-beta-4
6.0-rc-1
6.0-rc-2
6.0-rc-3
6.0.0
6.0.1
6.0.2
6.1.0
6.1.1
6.2.0
7.*
7.0
7.0-alpha1
7.0-alpha2
7.0-alpha3
7.0-alpha4
7.0-alpha5
7.0-alpha6
7.0-alpha7
7.0-beta1
7.0-beta2
7.0-beta3
7.0-rc-1
7.0-rc-2
7.0-rc-3
7.0-rc-4
7.0-unstable-1
7.0-unstable-10
7.0-unstable-2
7.0-unstable-3
7.0-unstable-4
7.0-unstable-5
7.0-unstable-6
7.0-unstable-7
8.*
8.0-alpha10
8.0-alpha11
8.0-alpha12
8.0-alpha13
8.0-alpha2
8.0-alpha3
8.0-alpha4
8.0-alpha5
8.0-alpha6
8.0-alpha7
8.0-alpha8
8.0-alpha9
8.0.0
8.0.0-alpha14
8.0.0-alpha15
8.0.0-beta1
8.0.0-beta10
8.0.0-beta11
8.0.0-beta12
8.0.0-beta13
8.0.0-beta14
8.0.0-beta15
8.0.0-beta16
8.0.0-beta2
8.0.0-beta3
8.0.0-beta4
8.0.0-beta5
8.0.0-beta6
8.0.0-beta7
8.0.0-beta9
8.0.0-rc1
8.0.0-rc2
8.0.0-rc3
8.0.0-rc4
8.1.0-beta1
9.*
9.0.0-alpha1
9.0.0-alpha2
php-7.*
php-7.0.0
Other
start
v1.*
v1.0.0
v1.0.0beta1
v1.0.1
v1.0.2
v1.0.3
v1.0.4
v2.*
v2.0.0
v2.0.1
v2.0.2
v2.0.3
v2.0.4
v2.0.5
v2.1.0
v2.1.1
v2.1.2
v2.1.3
v2.1.4
v2.2.0
v2.2.1
v2.2.2
v2.2.3
v2.2.4
v2.3.0
v2.3.1
v2.3.2
v2.4.0
v2.4.1
v2.5.0
v2.6.0
v2.6.1
v2.6.2
v2.6.3
v2.6.4
v2.6.5
v2.6.6
v2.7.0
v2.7.1
v2.7.2
v2.8.0
v2.8.1
v2.8.2
v2.8.3
v2.8.4
v2.8.5
v2.8.6
v2.8.7
v2.8.8
v3.*
v3.0.0
v3.0.1
v3.0.2
v3.0.3
v3.0.4
v3.0.5
v3.0.6
v3.0.7
v3.1.0
v3.1.1
v3.1.2
v3.2.0
v3.3.0
v3.3.1
v3.4.0
v3.4.1
v3.4.2
v3.4.3
v3.5.0
v3.6.0
v3.7.0
v3.7.1
v3.7.2
v3.7.3
v3.7.4
v3.8.0
v3.8.1
Database specific
unresolved_ranges
[
{
"events": [
{
"introduced": "0"
},
{
"last_affected": "12.0.0"
}
]
},
{
"events": [
{
"introduced": "0"
},
{
"last_affected": "12.2.2"
}
]
},
{
"events": [
{
"introduced": "0"
},
{
"last_affected": "12.3.2"
}
]
},
{
"events": [
{
"introduced": "0"
},
{
"last_affected": "23"
}
]
},
{
"events": [
{
"introduced": "0"
},
{
"last_affected": "24"
}
]
},
{
"events": [
{
"introduced": "0"
},
{
"last_affected": "5.09"
}
]
},
{
"events": [
{
"introduced": "0"
},
{
"last_affected": "7.5.5.0"
}
]
},
{
"events": [
{
"introduced": "0"
},
{
"last_affected": "42.1"
}
]
}
]
source
"https://storage.googleapis.com/cve-osv-conversion/osv-output/CVE-2016-5385.json"