U.S. flag   An official website of the United States government
Dot gov

Official websites use .gov
A .gov website belongs to an official government organization in the United States.


Secure .gov websites use HTTPS
A lock (Dot gov) or https:// means you've safely connected to the .gov website. Share sensitive information only on official, secure websites.

Vulnerability Change Records for CVE-2016-5385

Change History

CVE Modified by Red Hat, Inc. 2/02/2023 4:17:08 PM

Action Type Old Value New Value
Added CVSS V2

Red Hat, Inc. (AV:N/AC:L/Au:N/C:N/I:P/A:N)
Added CVSS V3

Red Hat, Inc. AV:N/AC:L/PR:L/UI:N/S:C/C:N/I:L/A:N
Changed Description
PHP through 7.0.8 does not attempt to address RFC 3875 section 4.1.18 namespace conflicts and therefore does not protect applications from the presence of untrusted client data in the HTTP_PROXY environment variable, which might allow remote attackers to redirect an application's outbound HTTP traffic to an arbitrary proxy server via a crafted Proxy header in an HTTP request, as demonstrated by (1) an application that makes a getenv('HTTP_PROXY') call or (2) a CGI configuration of PHP, aka an "httpoxy" issue.
It was discovered that PHP did not properly protect against the HTTP_PROXY variable name clash. A remote attacker could possibly use this flaw to redirect HTTP requests performed by a PHP script to an attacker-controlled proxy via a malicious HTTP request.
Added Reference

https://access.redhat.com/errata/RHSA-2016:1609 [No Types Assigned]
Added Reference

https://access.redhat.com/errata/RHSA-2016:1610 [No Types Assigned]
Added Reference

https://access.redhat.com/errata/RHSA-2016:1611 [No Types Assigned]
Added Reference

https://access.redhat.com/errata/RHSA-2016:1612 [No Types Assigned]
Added Reference

https://access.redhat.com/errata/RHSA-2016:1613 [No Types Assigned]
Added Reference

https://access.redhat.com/security/cve/CVE-2016-5385 [No Types Assigned]
Added Reference

https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/7RMYXAVNYL2MOBJTFATE73TOVOEZYC5R/ [No Types Assigned]
Added Reference

https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/GXFEIMZPSVGZQQAYIQ7U7DFVX3IBSDLF/ [No Types Assigned]
Added Reference

https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/KZOIUYZDBWNDDHC6XTOLZYRMRXZWTJCP/ [No Types Assigned]
Removed Reference
https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/7RMYXAVNYL2MOBJTFATE73TOVOEZYC5R/ [Third Party Advisory]

Removed Reference
https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/GXFEIMZPSVGZQQAYIQ7U7DFVX3IBSDLF/ [Third Party Advisory]

Removed Reference
https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/KZOIUYZDBWNDDHC6XTOLZYRMRXZWTJCP/ [Third Party Advisory]