CVE-2016-5385

Source
https://nvd.nist.gov/vuln/detail/CVE-2016-5385
Import Source
https://storage.googleapis.com/cve-osv-conversion/osv-output/CVE-2016-5385.json
JSON Data
https://api.osv.dev/v1/vulns/CVE-2016-5385
Aliases
Related
Published
2016-07-19T02:00:17Z
Modified
2024-09-03T01:24:00.488956Z
Severity
  • 8.1 (High) CVSS_V3 - CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H CVSS Calculator
Summary
[none]
Details

PHP through 7.0.8 does not attempt to address RFC 3875 section 4.1.18 namespace conflicts and therefore does not protect applications from the presence of untrusted client data in the HTTPPROXY environment variable, which might allow remote attackers to redirect an application's outbound HTTP traffic to an arbitrary proxy server via a crafted Proxy header in an HTTP request, as demonstrated by (1) an application that makes a getenv('HTTPPROXY') call or (2) a CGI configuration of PHP, aka an "httpoxy" issue.

References

Affected packages

Git / github.com/drupal/drupal

Affected ranges

Type
GIT
Repo
https://github.com/drupal/drupal
Events
Type
GIT
Repo
https://github.com/php/php-src
Events

Affected versions

8.*

8.0.0
8.1.0
8.1.0-beta1
8.1.0-beta2
8.1.0-rc1
8.1.1
8.1.2
8.1.3
8.1.4
8.1.5
8.1.6