CVE-2016-5385

NameCVE-2016-5385
DescriptionPHP through 7.0.8 does not attempt to address RFC 3875 section 4.1.18 namespace conflicts and therefore does not protect applications from the presence of untrusted client data in the HTTP_PROXY environment variable, which might allow remote attackers to redirect an application's outbound HTTP traffic to an arbitrary proxy server via a crafted Proxy header in an HTTP request, as demonstrated by (1) an application that makes a getenv('HTTP_PROXY') call or (2) a CGI configuration of PHP, aka an "httpoxy" issue.
SourceCVE (at NVD; CERT, LWN, oss-sec, fulldisc, bugtraq, EDB, Metasploit, Red Hat, Ubuntu, Gentoo, SUSE bugzilla/CVE, Mageia, GitHub code/issues, web search, more)
ReferencesDLA-749-1, DSA-3631-1
NVD severitymedium (attack range: remote)

Vulnerable and fixed packages

The table below lists information on source packages.

Source PackageReleaseVersionStatus
php5 (PTS)wheezy5.4.45-0+deb7u2vulnerable
wheezy (security)5.4.45-0+deb7u12fixed
jessie5.6.30+dfsg-0+deb8u1fixed
jessie (security)5.6.33+dfsg-0+deb8u1fixed
php7.0 (PTS)stretch7.0.19-1fixed
stretch (security)7.0.27-0+deb9u1fixed
buster, sid7.0.27-1fixed

The information below is based on the following data on fixed versions.

PackageTypeReleaseFixed VersionUrgencyOriginDebian Bugs
php5source(unstable)5.6.24+dfsg-1medium
php5sourcejessie5.6.24+dfsg-0+deb8u1mediumDSA-3631-1
php5sourcewheezy5.4.45-0+deb7u6mediumDLA-749-1
php7.0source(unstable)7.0.9-1medium

Notes

PHP Bug: https://bugs.php.net/bug.php?id=72573
Fixed in 7.0.9, 5.6.24, 5.5.38

Search for package or bug name: Reporting problems