CVE-2016-5385

Description

PHP through 7.0.8 does not attempt to address RFC 3875 section 4.1.18 namespace conflicts and therefore does not protect applications from the presence of untrusted client data in the HTTP_PROXY environment variable, which might allow remote attackers to redirect an application's outbound HTTP traffic to an arbitrary proxy server via a crafted Proxy header in an HTTP request, as demonstrated by (1) an application that makes a getenv('HTTP_PROXY') call or (2) a CGI configuration of PHP, aka an "httpoxy" issue.

How to fix CVE-2016-5385

To remediate CVE-2016-5385, upgrade the affected package to a fixed version below.

• —upgrade to 5.4.45-0+deb7u6 or later
• —upgrade to 5.6.24+dfsg-0+deb8u1 or later
• —upgrade to 1.0.4 or later
• —upgrade to 2.0.2 or later
• —upgrade to 8.1.7 or later
• —upgrade to 6.2.1 or later
• —upgrade to 1.1.2 or later

Is CVE-2016-5385 being exploited?

Likely — EPSS is 83.5%, placing CVE-2016-5385 in the top tier of vulnerabilities by exploitation probability. Prioritise patching.

Affected packages (7)

• from 0, < 5.4.45-0+deb7u6
• from 0, < 5.6.24+dfsg-0+deb8u1
• from 0, < 1.0.4
• from 0, < 2.0.2
• >= 8.0, < 8.1.7
• >= 6, < 6.2.1
• from 0, < 1.1.2

CVSS scores

References (40)

• ADVISORYnvd.nist.gov/vuln/detail/CVE-2016-5385
• WEBlists.opensuse.org/opensuse-updates/2016-08/msg00003.html
• WEBrhn.redhat.com/errata/RHSA-2016-1609.html
• WEBrhn.redhat.com/errata/RHSA-2016-1610.html
• WEB