CVE-2016-5385
- Source
- https://cve.org/CVERecord?id=CVE-2016-5385
- Import Source
- https://storage.googleapis.com/cve-osv-conversion/osv-output/CVE-2016-5385.json
- JSON Data
- https://api.osv.dev/v1/vulns/CVE-2016-5385
- Aliases
- Downstream
- Related
- Published
- 2016-07-19T02:00:17.773Z
- Modified
- 2026-04-10T03:51:40.535731Z
- Severity
-
- 8.1 (High) CVSS_V3 - CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H CVSS Calculator
- Summary
- [none]
- Details
-
PHP through 7.0.8 does not attempt to address RFC 3875 section 4.1.18 namespace conflicts and therefore does not protect applications from the presence of untrusted client data in the HTTPPROXY environment variable, which might allow remote attackers to redirect an application's outbound HTTP traffic to an arbitrary proxy server via a crafted Proxy header in an HTTP request, as demonstrated by (1) an application that makes a getenv('HTTPPROXY') call or (2) a CGI configuration of PHP, aka an "httpoxy" issue.
- References
-
- https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/GXFEIMZPSVGZQQAYIQ7U7DFVX3IBSDLF/
- https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/KZOIUYZDBWNDDHC6XTOLZYRMRXZWTJCP/
- https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/7RMYXAVNYL2MOBJTFATE73TOVOEZYC5R/
- https://h20566.www2.hpe.com/portal/site/hpsc/public/kb/docDisplay?docId=emr_na-c05333297
- https://httpoxy.org/
- http://rhn.redhat.com/errata/RHSA-2016-1609.html
- https://security.gentoo.org/glsa/201611-22
- http://rhn.redhat.com/errata/RHSA-2016-1610.html
- http://rhn.redhat.com/errata/RHSA-2016-1613.html
- http://www.oracle.com/technetwork/topics/security/linuxbulletinjul2016-3090544.html
- http://www.securityfocus.com/bid/91821
- https://h20566.www2.hpe.com/hpsc/doc/public/display?docLocale=en_US&docId=emr_na-hpesbhf03770en_us
- https://h20566.www2.hpe.com/portal/site/hpsc/public/kb/docDisplay?docId=emr_na-c05320149
- https://www.drupal.org/SA-CORE-2016-003
- http://lists.opensuse.org/opensuse-updates/2016-08/msg00003.html
- http://www.kb.cert.org/vuls/id/797896
- https://h20566.www2.hpe.com/portal/site/hpsc/public/kb/docDisplay?docId=emr_na-c05390722
- http://rhn.redhat.com/errata/RHSA-2016-1611.html
- http://rhn.redhat.com/errata/RHSA-2016-1612.html
- http://www.debian.org/security/2016/dsa-3631
- http://www.securitytracker.com/id/1036335
- https://github.com/guzzle/guzzle/releases/tag/6.2.1
- https://bugzilla.redhat.com/show_bug.cgi?id=1353794
- http://www.oracle.com/technetwork/security-advisory/cpujul2017-3236622.html
- http://www.oracle.com/technetwork/security-advisory/cpujan2018-3236628.html
Affected packages
Git / github.com/drupal/drupal
Affected ranges
- Type
- GIT
- Repo
- https://github.com/drupal/drupal
- Events
-
Introduced0 Unknown introduced commit / All previous commits are affectedLast affectedIntroduced0 Unknown introduced commit / All previous commits are affectedLast affected
- Database specific
{ "versions": [ { "introduced": "0" }, { "last_affected": "10.0.0" }, { "introduced": "0" }, { "last_affected": "10.0.1" } ] }
- Type
- GIT
- Repo
- https://github.com/guzzle/guzzle
- Events
-
Introduced0 Unknown introduced commit / All previous commits are affectedLast affectedIntroduced0 Unknown introduced commit / All previous commits are affectedLast affectedIntroduced0 Unknown introduced commit / All previous commits are affectedLast affectedFixed
- Database specific
{ "versions": [ { "introduced": "0" }, { "last_affected": "6.0" }, { "introduced": "0" }, { "last_affected": "6.0" }, { "introduced": "0" }, { "last_affected": "6.0" } ] }
- Type
- GIT
- Repo
- https://github.com/php/php-src
- Events
-
Introduced0 Unknown introduced commit / All previous commits are affectedLast affectedIntroduced0 Unknown introduced commit / All previous commits are affectedLast affectedIntroducedFixedIntroducedFixedIntroducedLast affectedIntroduced0 Unknown introduced commit / All previous commits are affectedLast affectedIntroducedFixed
- Database specific
{ "versions": [ { "introduced": "0" }, { "last_affected": "6-NA" }, { "introduced": "0" }, { "last_affected": "7-NA" }, { "introduced": "5.5.0" }, { "fixed": "5.5.38" }, { "introduced": "5.6.0" }, { "fixed": "5.6.24" }, { "introduced": "7.0.0" }, { "last_affected": "7.0.8" }, { "introduced": "0" }, { "last_affected": "8.0" }, { "introduced": "8.0.0" }, { "fixed": "8.1.7" } ] }
Affected versions
1.*
1.0
10.*
10.0.0
10.0.0-alpha1
10.0.0-alpha3
10.0.0-alpha4
10.0.0-alpha5
10.0.0-alpha6
10.0.0-alpha7
10.0.0-beta1
10.0.0-beta2
10.0.0-rc1
10.0.0-rc2
10.0.0-rc3
10.0.1
2.*
2.0
3.*
3.0.1
4.*
4.0.0
4.0.0-rc.1
4.0.0-rc.2
4.0.1
4.0.2
4.1.0
4.1.1
4.1.2
4.1.3
4.1.4
4.1.5
4.1.6
4.1.7
4.1.8
4.2.0
4.2.1
4.2.2
4.2.3
5.*
5.0-beta-1
5.0-beta-2
5.0-rc-1
5.0-rc-2
5.0.0
5.0.1
5.0.2
5.0.3
5.1.0
5.2.0
5.3.0
6.*
6.0-beta-1
6.0-beta-2
6.0-beta-3
6.0-beta-4
6.0-rc-1
6.0-rc-2
6.0-rc-3
6.0.0
6.0.1
6.0.2
6.1.0
6.1.1
6.2.0
7.*
7.0
7.0-alpha1
7.0-alpha2
7.0-alpha3
7.0-alpha4
7.0-alpha5
7.0-alpha6
7.0-alpha7
7.0-beta1
7.0-beta2
7.0-beta3
7.0-rc-1
7.0-rc-2
7.0-rc-3
7.0-rc-4
7.0-unstable-1
7.0-unstable-10
7.0-unstable-2
7.0-unstable-3
7.0-unstable-4
7.0-unstable-5
7.0-unstable-6
7.0-unstable-7
8.*
8.0-alpha10
8.0-alpha11
8.0-alpha12
8.0-alpha13
8.0-alpha2
8.0-alpha3
8.0-alpha4
8.0-alpha5
8.0-alpha6
8.0-alpha7
8.0-alpha8
8.0-alpha9
8.0.0
8.0.0-alpha14
8.0.0-alpha15
8.0.0-beta1
8.0.0-beta10
8.0.0-beta11
8.0.0-beta12
8.0.0-beta13
8.0.0-beta14
8.0.0-beta15
8.0.0-beta16
8.0.0-beta2
8.0.0-beta3
8.0.0-beta4
8.0.0-beta5
8.0.0-beta6
8.0.0-beta7
8.0.0-beta9
8.0.0-rc1
8.0.0-rc2
8.0.0-rc3
8.0.0-rc4
8.1.0-beta1
9.*
9.0.0-alpha1
9.0.0-alpha2
Other
POST_64BIT_BRANCH_MERGE
POST_AST_MERGE
POST_PHP7_NSAPI_REMOVAL
POST_PHP7_REMOVALS
POST_PHPNG_MERGE
PRE_64BIT_BRANCH_MERGE
PRE_AST_MERGE
PRE_PHP7_EREG_MYSQL_REMOVALS
PRE_PHP7_NSAPI_REMOVAL
PRE_PHP7_REMOVALS
start
php-5.*
php-5.6.24RC1
php-7.*
php-7.0.8
php-7.0.8RC1
php-8.*
php-8.0.0
php-8.1.7RC1
v1.*
v1.0.0
v1.0.0beta1
v1.0.1
v1.0.2
v1.0.3
v2.*
v2.0.0
v2.0.1
v2.0.2
v2.0.3
v2.0.4
v2.0.5
v2.1.0
v2.1.1
v2.1.2
v2.1.3
v2.1.4
v2.2.0
v2.2.1
v2.2.2
v2.2.3
v2.2.4
v2.3.0
v2.3.1
v2.3.2
v2.4.0
v2.4.1
v2.5.0
v2.6.0
v2.6.1
v2.6.2
v2.6.3
v2.6.4
v2.6.5
v2.6.6
v2.7.0
v2.7.1
v2.7.2
v2.8.0
v2.8.1
v2.8.2
v2.8.3
v2.8.4
v2.8.5
v2.8.6
v2.8.7
v2.8.8
v3.*
v3.0.0
v3.0.1
v3.0.2
v3.0.3
v3.0.4
v3.0.5
v3.0.6
v3.0.7
v3.1.0
v3.1.1
v3.1.2
v3.2.0
v3.3.0
v3.3.1
v3.4.0
v3.4.1
v3.4.2
v3.4.3
v3.5.0
v3.6.0
v3.7.0
v3.7.1
v3.7.2
v3.7.3
v3.7.4
v3.8.0
v3.8.1
Database specific
source
"https://storage.googleapis.com/cve-osv-conversion/osv-output/CVE-2016-5385.json"
unresolved_ranges
[
{
"events": [
{
"introduced": "0"
},
{
"last_affected": "12.0.0"
}
]
},
{
"events": [
{
"introduced": "0"
},
{
"last_affected": "12.2.2"
}
]
},
{
"events": [
{
"introduced": "0"
},
{
"last_affected": "12.3.2"
}
]
},
{
"events": [
{
"introduced": "0"
},
{
"last_affected": "23"
}
]
},
{
"events": [
{
"introduced": "0"
},
{
"last_affected": "24"
}
]
},
{
"events": [
{
"introduced": "0"
},
{
"last_affected": "5.09"
}
]
},
{
"events": [
{
"introduced": "0"
},
{
"last_affected": "7.5.5.0"
}
]
},
{
"events": [
{
"introduced": "0"
},
{
"last_affected": "42.1"
}
]
}
]