CVE-2016-5385

19.07.2016, 02:00

PHP through 7.0.8 does not attempt to address RFC 3875 section 4.1.18 namespace conflicts and therefore does not protect applications from the presence of untrusted client data in the HTTP_PROXY environment variable, which might allow remote attackers to redirect an application's outbound HTTP traffic to an arbitrary proxy server via a crafted Proxy header in an HTTP request, as demonstrated by (1) an application that makes a getenv('HTTP_PROXY') call or (2) a CGI configuration of PHP, aka an "httpoxy" issue.

Open Redirect

Provider	Type	Base Score	Atk. Vector	Atk. Complexity	Priv. Required	Vector
NIST	Primary	8.1 HIGH	NETWORK	HIGH	NONE	CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H

Base Score

CVSS 3.x

EPSS Score

Percentile: 99%

Affected Products (NVD)

Vendor	Product	Version
oracle	communications_user_data_repository	10.0.0
oracle	communications_user_data_repository	10.0.1
oracle	communications_user_data_repository	12.0.0
oracle	enterprise_manager_ops_center	12.2.2
oracle	enterprise_manager_ops_center	12.3.2
hp	storeever_msl6480_tape_library_firmware	𝑥 ≤ 5.09
hp	system_management_homepage	𝑥 ≤ 7.5.5.0
php	php	5.5.0 ≤ 𝑥 < 5.5.38
php	php	5.6.0 ≤ 𝑥 < 5.6.24
php	php	7.0.0 ≤ 𝑥 ≤ 7.0.8
redhat	enterprise_linux_desktop	6.0
redhat	enterprise_linux_server	6.0
redhat	enterprise_linux_workstation	6.0
debian	debian_linux	8.0
opensuse	leap	42.1
drupal	drupal	8.0.0 ≤ 𝑥 < 8.1.7

𝑥

= Vulnerable software versions

Ubuntu Releases

Ubuntu Product

Codename

php5

precise	Fixed 5.3.10-1ubuntu3.24 released
trusty	Fixed 5.5.9+dfsg-1ubuntu4.19 released
wily	ignored
xenial	dne

php7.0

precise	dne
trusty	dne
wily	dne
xenial	Fixed 7.0.8-0ubuntu0.16.04.2 released

Red Hat Enterprise Linux Releases

Red Hat Product

Release

php

RHEL 6	0:5.3.3-48.el6_8 fixed
RHEL 7	0:5.4.16-36.3.el7_2 fixed

php-bcmath

RHEL 6	0:5.3.3-48.el6_8 fixed
RHEL 7	0:5.4.16-36.3.el7_2 fixed

php-cli

RHEL 6	0:5.3.3-48.el6_8 fixed
RHEL 7	0:5.4.16-36.3.el7_2 fixed

php-common

RHEL 6	0:5.3.3-48.el6_8 fixed
RHEL 7	0:5.4.16-36.3.el7_2 fixed

php-dba

RHEL 6	0:5.3.3-48.el6_8 fixed
RHEL 7	0:5.4.16-36.3.el7_2 fixed

php-devel

RHEL 6	0:5.3.3-48.el6_8 fixed
RHEL 7	0:5.4.16-36.3.el7_2 fixed

php-embedded

RHEL 6	0:5.3.3-48.el6_8 fixed
RHEL 7	0:5.4.16-36.3.el7_2 fixed

php-enchant

RHEL 6	0:5.3.3-48.el6_8 fixed
RHEL 7	0:5.4.16-36.3.el7_2 fixed

php-fpm

RHEL 6	0:5.3.3-48.el6_8 fixed
RHEL 7	0:5.4.16-36.3.el7_2 fixed

php-gd

RHEL 6	0:5.3.3-48.el6_8 fixed
RHEL 7	0:5.4.16-36.3.el7_2 fixed

php-imap

RHEL 6

0:5.3.3-48.el6_8

fixed

php-intl

RHEL 6	0:5.3.3-48.el6_8 fixed
RHEL 7	0:5.4.16-36.3.el7_2 fixed

php-ldap

RHEL 6	0:5.3.3-48.el6_8 fixed
RHEL 7	0:5.4.16-36.3.el7_2 fixed

php-mbstring

RHEL 6	0:5.3.3-48.el6_8 fixed
RHEL 7	0:5.4.16-36.3.el7_2 fixed

php-mysql

RHEL 6	0:5.3.3-48.el6_8 fixed
RHEL 7	0:5.4.16-36.3.el7_2 fixed

php-mysqlnd

RHEL 7

0:5.4.16-36.3.el7_2

fixed

php-odbc

RHEL 6	0:5.3.3-48.el6_8 fixed
RHEL 7	0:5.4.16-36.3.el7_2 fixed

php-pdo

RHEL 6	0:5.3.3-48.el6_8 fixed
RHEL 7	0:5.4.16-36.3.el7_2 fixed

php-pgsql

RHEL 6	0:5.3.3-48.el6_8 fixed
RHEL 7	0:5.4.16-36.3.el7_2 fixed

php-process

RHEL 6	0:5.3.3-48.el6_8 fixed
RHEL 7	0:5.4.16-36.3.el7_2 fixed

php-pspell

RHEL 6	0:5.3.3-48.el6_8 fixed
RHEL 7	0:5.4.16-36.3.el7_2 fixed

php-recode

RHEL 6	0:5.3.3-48.el6_8 fixed
RHEL 7	0:5.4.16-36.3.el7_2 fixed

php-snmp

RHEL 6	0:5.3.3-48.el6_8 fixed
RHEL 7	0:5.4.16-36.3.el7_2 fixed

php-soap

RHEL 6	0:5.3.3-48.el6_8 fixed
RHEL 7	0:5.4.16-36.3.el7_2 fixed

php-tidy

RHEL 6

0:5.3.3-48.el6_8

fixed

php-xml

RHEL 6	0:5.3.3-48.el6_8 fixed
RHEL 7	0:5.4.16-36.3.el7_2 fixed

php-xmlrpc

RHEL 6	0:5.3.3-48.el6_8 fixed
RHEL 7	0:5.4.16-36.3.el7_2 fixed

php-zts

RHEL 6

0:5.3.3-48.el6_8

fixed

Common Weakness Enumeration

CWE-601 - URL Redirection to Untrusted Site ('Open Redirect')
A web application accepts a user-controlled input that specifies a link to an external site, and uses that link in a Redirect. This simplifies phishing attacks.

References

http://lists.opensuse.org/opensuse-updates/2016-08/msg00003.html

http://rhn.redhat.com/errata/RHSA-2016-1609.html

http://rhn.redhat.com/errata/RHSA-2016-1610.html

http://rhn.redhat.com/errata/RHSA-2016-1611.html

http://rhn.redhat.com/errata/RHSA-2016-1612.html

http://rhn.redhat.com/errata/RHSA-2016-1613.html

http://www.debian.org/security/2016/dsa-3631

http://www.kb.cert.org/vuls/id/797896

http://www.oracle.com/technetwork/security-advisory/cpujan2018-3236628.html

http://www.oracle.com/technetwork/security-advisory/cpujul2017-3236622.html

http://www.oracle.com/technetwork/topics/security/linuxbulletinjul2016-3090544.html

http://www.securityfocus.com/bid/91821

http://www.securitytracker.com/id/1036335

https://bugzilla.redhat.com/show_bug.cgi?id=1353794

https://github.com/guzzle/guzzle/releases/tag/6.2.1

https://h20566.www2.hpe.com/hpsc/doc/public/display?docLocale=en_US&docId=emr_na-hpesbhf03770en_us

https://h20566.www2.hpe.com/portal/site/hpsc/public/kb/docDisplay?docId=emr_na-c05320149

https://h20566.www2.hpe.com/portal/site/hpsc/public/kb/docDisplay?docId=emr_na-c05333297

https://h20566.www2.hpe.com/portal/site/hpsc/public/kb/docDisplay?docId=emr_na-c05390722

https://httpoxy.org/

https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/7RMYXAVNYL2MOBJTFATE73TOVOEZYC5R/

https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/GXFEIMZPSVGZQQAYIQ7U7DFVX3IBSDLF/

https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/KZOIUYZDBWNDDHC6XTOLZYRMRXZWTJCP/

https://security.gentoo.org/glsa/201611-22

https://www.drupal.org/SA-CORE-2016-003

http://lists.opensuse.org/opensuse-updates/2016-08/msg00003.html

http://rhn.redhat.com/errata/RHSA-2016-1609.html

http://rhn.redhat.com/errata/RHSA-2016-1610.html

http://rhn.redhat.com/errata/RHSA-2016-1611.html

http://rhn.redhat.com/errata/RHSA-2016-1612.html

http://rhn.redhat.com/errata/RHSA-2016-1613.html

http://www.debian.org/security/2016/dsa-3631

http://www.kb.cert.org/vuls/id/797896

http://www.oracle.com/technetwork/security-advisory/cpujan2018-3236628.html

http://www.oracle.com/technetwork/security-advisory/cpujul2017-3236622.html

http://www.oracle.com/technetwork/topics/security/linuxbulletinjul2016-3090544.html

http://www.securityfocus.com/bid/91821

http://www.securitytracker.com/id/1036335

https://bugzilla.redhat.com/show_bug.cgi?id=1353794

https://github.com/guzzle/guzzle/releases/tag/6.2.1

https://h20566.www2.hpe.com/hpsc/doc/public/display?docLocale=en_US&docId=emr_na-hpesbhf03770en_us

https://h20566.www2.hpe.com/portal/site/hpsc/public/kb/docDisplay?docId=emr_na-c05320149

https://h20566.www2.hpe.com/portal/site/hpsc/public/kb/docDisplay?docId=emr_na-c05333297

https://h20566.www2.hpe.com/portal/site/hpsc/public/kb/docDisplay?docId=emr_na-c05390722

https://httpoxy.org/

https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/7RMYXAVNYL2MOBJTFATE73TOVOEZYC5R/

https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/GXFEIMZPSVGZQQAYIQ7U7DFVX3IBSDLF/

https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/KZOIUYZDBWNDDHC6XTOLZYRMRXZWTJCP/

https://security.gentoo.org/glsa/201611-22

https://www.drupal.org/SA-CORE-2016-003