Debian Security Bug TrackerDEBIANCVE:CVE-2016-5385

HistoryJul 19, 2016 - 2:00 a.m.

CVE-2016-5385

2016-07-1902:00:00

Debian Security Bug Tracker

security-tracker.debian.org

0.936 High

EPSS

Percentile

99.1%

JSON

PHP through 7.0.8 does not attempt to address RFC 3875 section 4.1.18 namespace conflicts and therefore does not protect applications from the presence of untrusted client data in the HTTP_PROXY environment variable, which might allow remote attackers to redirect an application’s outbound HTTP traffic to an arbitrary proxy server via a crafted Proxy header in an HTTP request, as demonstrated by (1) an application that makes a getenv(‘HTTP_PROXY’) call or (2) a CGI configuration of PHP, aka an “httpoxy” issue.

OSVersionArchitecturePackageVersionFilename
Debian9allphp7.0< 7.0.33-0+deb9u8php7.0_7.0.33-0+deb9u8_all.deb

OS	Version	Architecture	Package	Version	Filename
Debian	9	all	php7.0	< 7.0.33-0+deb9u8	php7.0_7.0.33-0+deb9u8_all.deb

nessus

Fedora 24 : php-guzzlehttp-guzzle (2016-aef8a45afe) (httpoxy)

2016-07-29 00:00:00

RHEL 7 : php (RHSA-2016:1613) (httpoxy)

2016-08-12 00:00:00

CentOS 6 : php (CESA-2016:1609) (httpoxy)

2016-08-12 00:00:00

oraclelinux

php security update

2016-08-11 00:00:00

php security and bug fix update

2016-08-11 00:00:00

php security and bug fix update

2016-11-09 00:00:00

openvas

Fedora Update for php FEDORA-2016-8eb11666aa

2016-08-04 00:00:00

RedHat Update for php RHSA-2016:1613-01

2016-08-12 00:00:00

RedHat Update for php RHSA-2016:1609-01

2016-08-12 00:00:00

fedora

[SECURITY] Fedora 23 Update: php-guzzlehttp-guzzle6-6.2.1-1.fc23

2016-07-29 02:55:08

[SECURITY] Fedora 23 Update: php-guzzlehttp-guzzle-5.3.1-1.fc23

2016-07-29 02:55:03

[SECURITY] Fedora 24 Update: php-guzzlehttp-guzzle6-6.2.1-1.fc24

2016-07-29 00:00:06

friendsofphp

HTTP Proxy header vulnerability

2018-02-12 19:47:17

HTTP Proxy header vulnerability

2018-02-12 19:47:17

HTTP Proxy header vulnerability

2015-07-15 17:14:23

redhatcve

CVE-2016-5385

2016-07-18 14:19:09

nvd

CVE-2016-5385

2016-07-19 02:00:17

CVE-2016-1000100

2016-10-06 14:59:17

github

HTTP Proxy header vulnerability

2022-04-07 13:59:22

centos

php security update

2016-08-12 11:27:56

php security update

2016-08-11 21:20:11

typo3

Environment Variable Injection in extension "AWS SDK for PHP" (aws_sdk_php)

2018-08-09 00:00:00

Environment Variable Injection

2016-07-19 00:00:00

Environment Variable Injection in extension "Amazon AWS S3 FAL driver (CDN)" (aus_driver_amazon_s3)

2018-08-09 00:00:00

prion

Design/Logic Flaw

2016-07-19 02:00:00

Design/Logic Flaw

2016-10-06 14:59:00

cve

CVE-2016-5385

2016-07-19 02:00:17

CVE-2016-1000100

2016-10-06 14:59:17

redhat

(RHSA-2016:1611) Moderate: php55-php security update

2016-08-11 19:52:52

(RHSA-2016:1612) Moderate: rh-php56-php security update

2016-08-11 19:53:18

(RHSA-2016:1610) Moderate: php54-php security update

2016-08-11 19:51:58

cvelist

CVE-2016-5385

2016-07-19 01:00:00

K73071205 : PHP vulnerability CVE-2016-5385

2016-07-26 00:00:00

ibm

Security Bulletin: A vulnerability in PHP affects PowerKVM (CVE-2016-5385)

2018-06-18 01:33:23

Security Bulletin: Multiple vulnerabilities affecting web servers that run code in a CGI or CGI-like context affects IBM API Connect (CVE-2016-5385, CVE-2016-1000105)

2018-06-15 07:06:31

Security Bulletin: IBM QRadar SIEM is vulnerable to various CGI vulnerabilities. (CVE-2016-5385, CVE-2016-5387, CVE-2016-5388)

2018-06-16 21:48:14

osv

HTTP Proxy header vulnerability

2022-04-07 13:59:22

php5 - security update

2016-12-16 00:00:00

gitlab

HTTP Proxy header vulnerability

2016-07-18 00:00:00

veracode

Open Redirection

2019-01-15 09:12:46

ubuntucve

CVE-2016-5385

2016-07-18 00:00:00

archlinux

drupal: proxy injection

2016-07-21 00:00:00

slackware

[slackware-security] php

2016-07-21 23:38:17

cloudfoundry

Multiple CVEs: httpoxy | Cloud Foundry

2016-12-21 00:00:00

USN-3045-1 PHP vulnerabilities | Cloud Foundry

2016-09-09 00:00:00

threatpost

CGI Script Vulnerability 'Httpoxy' Allows Man-in-the-Middle Attack

2016-07-18 18:00:46

cert

CGI web servers assign Proxy header values from client requests to internal HTTP_PROXY environment variables

2016-07-18 00:00:00

checkpoint_advisories

CGI Namespace Conflict Man-In-The-Middle (httpoxy; CVE-2016-1000109; CVE-2016-1000110; CVE-2016-5385; CVE-2016-5386; CVE-2016-5387; CVE-2016-5388)

2016-07-19 00:00:00

impervablog

Python and Go Top the Chart of 2019’s Most Popular Hacking Tools

2020-05-27 09:22:21

amazon

Medium: php55, php56

2016-08-01 13:30:00

debian

[SECURITY] [DSA 3631-1] php5 security update

2016-07-26 20:46:29

[SECURITY] [DLA 749-1] php5 security update

2016-12-16 21:48:18

freebsd

php -- multiple vulnerabilities

2016-07-21 00:00:00

ubuntu

PHP vulnerabilities

2016-08-02 00:00:00

gentoo

PHP: Multiple vulnerabilities

2016-11-30 00:00:00

kitploit

Trivy - A Simple And Comprehensive Vulnerability Scanner For Containers, Suitable For CI

2019-11-05 12:00:00

rosalinux

Advisory ROSA-SA-2021-1950

2021-07-02 17:57:45

oracle

Oracle Critical Patch Update - January 2018

2018-01-16 00:00:00

Oracle Critical Patch Update Advisory - July 2017

2018-03-20 00:00:00

CVE-2016-5385

Related