ID CVE-2016-5385
Summary PHP through 7.0.8 does not attempt to address RFC 3875 section 4.1.18 namespace conflicts and therefore does not protect applications from the presence of untrusted client data in the HTTP_PROXY environment variable, which might allow remote attackers to redirect an application's outbound HTTP traffic to an arbitrary proxy server via a crafted Proxy header in an HTTP request, as demonstrated by (1) an application that makes a getenv('HTTP_PROXY') call or (2) a CGI configuration of PHP, aka an "httpoxy" issue.
References
Vulnerable Configurations
  • Oracle Linux 7.0
    cpe:2.3:o:oracle:linux:7.0
  • Fedora Project Fedora 23
    cpe:2.3:o:fedoraproject:fedora:23
  • Fedora 24
    cpe:2.3:o:fedoraproject:fedora:24
  • cpe:2.3:o:hp:storeever_msl6480_tape_library_firmware:5.09
    cpe:2.3:o:hp:storeever_msl6480_tape_library_firmware:5.09
  • cpe:2.3:h:hp:storeever_msl6480_tape_library
    cpe:2.3:h:hp:storeever_msl6480_tape_library
  • cpe:2.3:a:hp:system_management_homepage:7.5.5.0
    cpe:2.3:a:hp:system_management_homepage:7.5.5.0
  • PHP 7.0.8
    cpe:2.3:a:php:php:7.0.8
  • Red Hat Enterprise Linux Desktop 6.0
    cpe:2.3:o:redhat:enterprise_linux_desktop:6.0
  • Red Hat Enterprise Linux Server 6.0
    cpe:2.3:o:redhat:enterprise_linux_server:6.0
  • Red Hat Enterprise Linux Workstation 6.0
    cpe:2.3:o:redhat:enterprise_linux_workstation:6.0
CVSS
Base: 5.1 (as of 17-11-2016 - 12:24)
Impact:
Exploitability:
CWE CWE-284
CAPEC
  • Embedding Scripts within Scripts
    An attack of this type exploits a programs' vulnerabilities that are brought on by allowing remote hosts to execute scripts. The attacker leverages this capability to execute scripts to execute his/her own script by embedding it within other scripts that the target software is likely to execute. The attacker must have the ability to inject script into script that is likely to be executed. If this is done, then the attacker can potentially launch a variety of probes and attacks against the web server's local environment, in many cases the so-called DMZ, back end resources the web server can communicate with, and other hosts. With the proliferation of intermediaries, such as Web App Firewalls, network devices, and even printers having JVMs and Web servers, there are many locales where an attacker can inject malicious scripts. Since this attack pattern defines scripts within scripts, there are likely privileges to execute said attack on the host. Of course, these attacks are not solely limited to the server side, client side scripts like Ajax and client side JavaScript can contain malicious scripts as well. In general all that is required is for there to be sufficient privileges to execute a script, but not protected against writing.
  • Signature Spoofing by Key Theft
    An attacker obtains an authoritative or reputable signer's private signature key by theft and then uses this key to forge signatures from the original signer to mislead a victim into performing actions that benefit the attacker.
Access
VectorComplexityAuthentication
NETWORK HIGH NONE
Impact
ConfidentialityIntegrityAvailability
PARTIAL PARTIAL PARTIAL
nessus via4
  • NASL family SuSE Local Security Checks
    NASL id OPENSUSE-2016-1440.NASL
    description This update for php7 fixes the following security issues : - CVE-2016-5385: Setting HTTP_PROXY environment variable via Proxy header (httpoxy) (bsc#988486). - CVE-2016-9137: Fixing a Use After Free in unserialize() (bsc#1008029). This update was imported from the SUSE:SLE-12:Update update project.
    last seen 2019-02-21
    modified 2017-01-10
    plugin id 95746
    published 2016-12-13
    reporter Tenable
    source https://www.tenable.com/plugins/index.php?view=single&id=95746
    title openSUSE Security Update : php7 (openSUSE-2016-1440) (httpoxy)
  • NASL family SuSE Local Security Checks
    NASL id SUSE_SU-2016-2941-1.NASL
    description This update for php7 fixes the following security issues : - CVE-2016-5385: Setting HTTP_PROXY environment variable via Proxy header (httpoxy) (bsc#988486). - CVE-2016-9137: Fixing a Use After Free in unserialize() (bsc#1008029). Note that Tenable Network Security has extracted the preceding description block directly from the SUSE security advisory. Tenable has attempted to automatically clean and format it as much as possible without introducing additional issues.
    last seen 2019-02-21
    modified 2019-01-02
    plugin id 119987
    published 2019-01-02
    reporter Tenable
    source https://www.tenable.com/plugins/index.php?view=single&id=119987
    title SUSE SLES12 Security Update : php7 (SUSE-SU-2016:2941-1) (httpoxy)
  • NASL family Slackware Local Security Checks
    NASL id SLACKWARE_SSA_2016-203-02.NASL
    description New php packages are available for Slackware 14.0, 14.1, 14.2, and -current to fix security issues.
    last seen 2018-09-01
    modified 2016-10-24
    plugin id 92499
    published 2016-07-22
    reporter Tenable
    source https://www.tenable.com/plugins/index.php?view=single&id=92499
    title Slackware 14.0 / 14.1 / 14.2 / current : php (SSA:2016-203-02) (httpoxy)
  • NASL family Gentoo Local Security Checks
    NASL id GENTOO_GLSA-201611-22.NASL
    description The remote host is affected by the vulnerability described in GLSA-201611-22 (PHP: Multiple vulnerabilities) Multiple vulnerabilities have been discovered in PHP. Please review the CVE identifiers referenced below for details. Impact : An attacker can possibly execute arbitrary code or create a Denial of Service condition. Workaround : There is no known workaround at this time.
    last seen 2019-02-21
    modified 2016-12-01
    plugin id 95421
    published 2016-12-01
    reporter Tenable
    source https://www.tenable.com/plugins/index.php?view=single&id=95421
    title GLSA-201611-22 : PHP: Multiple vulnerabilities (httpoxy)
  • NASL family Amazon Linux Local Security Checks
    NASL id ALA_ALAS-2016-728.NASL
    description A stack consumption vulnerability in GD in PHP allows remote attackers to cause a denial of service via a crafted imagefilltoborder call. (CVE-2015-8874) An integer overflow, leading to a heap-based buffer overflow was found in the imagecreatefromgd2() function of PHP's gd extension. A remote attacker could use this flaw to crash a PHP application or execute arbitrary code with the privileges of the user running that PHP application, using gd via a specially crafted GD2 image. (CVE-2016-5766) An integer overflow, leading to a heap-based buffer overflow was found in the gdImagePaletteToTrueColor() function of PHP's gd extension. A remote attacker could use this flaw to crash a PHP application or execute arbitrary code with the privileges of the user running that PHP application, using gd via a specially crafted image buffer. (CVE-2016-5767) A double free flaw was found in the mb_ereg_replace_callback() function of php which is used to perform regex search. This flaw could possibly cause a PHP application to crash. (CVE-2016-5768) The mcrypt_generic() and mdecrypt_generic() functions are prone to integer overflows, resulting in a heap-based overflow. A remote attacker could use this flaw to crash a PHP application or execute arbitrary code with the privileges of the user running that PHP application. (CVE-2016-5769) A type confusion issue was found in the SPLFileObject fread() function. A remote attacker able to submit a specially crafted input to a PHP application, which uses this function, could use this flaw to execute arbitrary code with the privileges of the user running that PHP application. (CVE-2016-5770) A use-after-free vulnerability that can occur when calling unserialize() on untrusted input was discovered. A remote attacker could use this flaw to crash a PHP application or execute arbitrary code with the privileges of the user running that PHP application if the application unserializes untrusted input. (CVE-2016-5771 , CVE-2016-5773) A double free can occur in wddx_deserialize() when trying to deserialize malicious XML input from user's request. This flaw could possibly cause a PHP application to crash. (CVE-2016-5772) It was discovered that PHP did not properly protect against the HTTP_PROXY variable name clash. A remote attacker could possibly use this flaw to redirect HTTP requests performed by a PHP script to an attacker-controlled proxy via a malicious HTTP request. (CVE-2016-5385) (Updated on 2016-08-17: CVE-2016-5385 was fixed in this release but was not previously part of this errata)
    last seen 2019-02-21
    modified 2018-04-18
    plugin id 92663
    published 2016-08-02
    reporter Tenable
    source https://www.tenable.com/plugins/index.php?view=single&id=92663
    title Amazon Linux AMI : php55 / php56 (ALAS-2016-728) (httpoxy)
  • NASL family Oracle Linux Local Security Checks
    NASL id ORACLELINUX_ELSA-2016-1613.NASL
    description From Red Hat Security Advisory 2016:1613 : An update for php is now available for Red Hat Enterprise Linux 7. Red Hat Product Security has rated this update as having a security impact of Moderate. A Common Vulnerability Scoring System (CVSS) base score, which gives a detailed severity rating, is available for each vulnerability from the CVE link(s) in the References section. PHP is an HTML-embedded scripting language commonly used with the Apache HTTP Server. Security Fix(es) : * It was discovered that PHP did not properly protect against the HTTP_PROXY variable name clash. A remote attacker could possibly use this flaw to redirect HTTP requests performed by a PHP script to an attacker-controlled proxy via a malicious HTTP request. (CVE-2016-5385) Red Hat would like to thank Scott Geary (VendHQ) for reporting this issue. Bug Fix(es) : * Previously, an incorrect logic in the SAPI header callback routine caused that the callback counter was not incremented. Consequently, when a script included a header callback, it could terminate unexpectedly with a segmentation fault. With this update, the callback counter is properly managed, and scripts with a header callback implementation work as expected. (BZ#1346758)
    last seen 2019-02-21
    modified 2018-07-24
    plugin id 92937
    published 2016-08-12
    reporter Tenable
    source https://www.tenable.com/plugins/index.php?view=single&id=92937
    title Oracle Linux 7 : php (ELSA-2016-1613) (httpoxy)
  • NASL family Fedora Local Security Checks
    NASL id FEDORA_2016-CD2BD0800F.NASL
    description 21 Jul 2016, **PHP 5.6.24** **Core:** - Fixed bug php#71936 (Segmentation fault destroying HTTP_RAW_POST_DATA). (mike dot laspina at gmail dot com, Remi) - Fixed bug php#72496 (Cannot declare public method with signature incompatible with parent private method). (Pedro Magalhães) - Fixed bug php#72138 (Integer Overflow in Length of String-typed ZVAL). (Stas) - Fixed bug php#72513 (Stack-based buffer overflow vulnerability in virtual_file_ex). (loianhtuan at gmail dot com) - Fixed bug php#72562 (Use After Free in unserialize() with Unexpected Session Deserialization). (taoguangchen at icloud dot com) - Fixed bug php#72573 (HTTP_PROXY is improperly trusted by some PHP libraries and applications). (CVE-2016-5385) (Stas) **bz2:** - Fixed bug php#72447 (Type Confusion in php_bz2_filter_create()). (gogil at stealien dot com). - Fixed bug php#72613 (Inadequate error handling in bzread()). (Stas) **EXIF:** - Fixed bug php#50845 (exif_read_data() returns corrupted exif headers). (Bartosz Dziewoński) - Fixed bug php#72603 (Out of bound read in exif_process_IFD_in_MAKERNOTE). (Stas) - Fixed bug #72618 (NULL pointer Dereference in exif_process_user_comment). (Stas) **Intl:** - Fixed bug php#72533 (locale_accept_from_http out-of-bounds access). (Stas) **ODBC:** - Fixed bug php#69975 (PHP segfaults when accessing nvarchar(max) defined columns) **OpenSSL:** - Fixed bug php#71915 (openssl_random_pseudo_bytes is not fork-safe). (Jakub Zelenka) - Fixed bug php#72336 (openssl_pkey_new does not fail for invalid DSA params). (Jakub Zelenka) **SNMP:** - Fixed bug php#72479 (Use After Free Vulnerability in SNMP with GC and unserialize()). (taoguangchen at icloud dot com) **SPL:** - Fixed bug php#55701 (GlobIterator throws LogicException). (Valentin VĂLCIU) **SQLite3:** - Fixed bug php#70628 (Clearing bindings on a SQLite3 statement doesn't work). (cmb) **Streams:** - Fixed bug php#72439 (Stream socket with remote address leads to a segmentation fault). (Laruence) **Xmlrpc:** - Fixed bug php#72606 (heap-buffer-overflow (write) simplestring_addn simplestring.c). (Stas) Note that Tenable Network Security has extracted the preceding description block directly from the Fedora update system website. Tenable has attempted to automatically clean and format it as much as possible without introducing additional issues.
    last seen 2019-02-21
    modified 2016-10-24
    plugin id 92650
    published 2016-08-01
    reporter Tenable
    source https://www.tenable.com/plugins/index.php?view=single&id=92650
    title Fedora 23 : php (2016-cd2bd0800f) (httpoxy)
  • NASL family Fedora Local Security Checks
    NASL id FEDORA_2016-8EB11666AA.NASL
    description 21 Jul 2016, **PHP 5.6.24** **Core:** - Fixed bug php#71936 (Segmentation fault destroying HTTP_RAW_POST_DATA). (mike dot laspina at gmail dot com, Remi) - Fixed bug php#72496 (Cannot declare public method with signature incompatible with parent private method). (Pedro Magalhães) - Fixed bug php#72138 (Integer Overflow in Length of String-typed ZVAL). (Stas) - Fixed bug php#72513 (Stack-based buffer overflow vulnerability in virtual_file_ex). (loianhtuan at gmail dot com) - Fixed bug php#72562 (Use After Free in unserialize() with Unexpected Session Deserialization). (taoguangchen at icloud dot com) - Fixed bug php#72573 (HTTP_PROXY is improperly trusted by some PHP libraries and applications). (CVE-2016-5385) (Stas) **bz2:** - Fixed bug php#72447 (Type Confusion in php_bz2_filter_create()). (gogil at stealien dot com). - Fixed bug php#72613 (Inadequate error handling in bzread()). (Stas) **EXIF:** - Fixed bug php#50845 (exif_read_data() returns corrupted exif headers). (Bartosz Dziewoński) - Fixed bug php#72603 (Out of bound read in exif_process_IFD_in_MAKERNOTE). (Stas) - Fixed bug #72618 (NULL pointer Dereference in exif_process_user_comment). (Stas) **Intl:** - Fixed bug php#72533 (locale_accept_from_http out-of-bounds access). (Stas) **ODBC:** - Fixed bug php#69975 (PHP segfaults when accessing nvarchar(max) defined columns) **OpenSSL:** - Fixed bug php#71915 (openssl_random_pseudo_bytes is not fork-safe). (Jakub Zelenka) - Fixed bug php#72336 (openssl_pkey_new does not fail for invalid DSA params). (Jakub Zelenka) **SNMP:** - Fixed bug php#72479 (Use After Free Vulnerability in SNMP with GC and unserialize()). (taoguangchen at icloud dot com) **SPL:** - Fixed bug php#55701 (GlobIterator throws LogicException). (Valentin VĂLCIU) **SQLite3:** - Fixed bug php#70628 (Clearing bindings on a SQLite3 statement doesn't work). (cmb) **Streams:** - Fixed bug php#72439 (Stream socket with remote address leads to a segmentation fault). (Laruence) **Xmlrpc:** - Fixed bug php#72606 (heap-buffer-overflow (write) simplestring_addn simplestring.c). (Stas) Note that Tenable Network Security has extracted the preceding description block directly from the Fedora update system website. Tenable has attempted to automatically clean and format it as much as possible without introducing additional issues.
    last seen 2019-02-21
    modified 2016-10-24
    plugin id 92648
    published 2016-08-01
    reporter Tenable
    source https://www.tenable.com/plugins/index.php?view=single&id=92648
    title Fedora 24 : php (2016-8eb11666aa) (httpoxy)
  • NASL family CGI abuses
    NASL id DRUPAL_8_1_7.NASL
    description The version of Drupal running on the remote web server is 8.x prior to 8.1.7. It is, therefore, affected by a man-in-the-middle vulnerability known as 'httpoxy' due to a failure to properly resolve namespace conflicts in accordance with RFC 3875 section 4.1.18. The HTTP_PROXY environment variable is set based on untrusted user data in the 'Proxy' header of HTTP requests. The HTTP_PROXY environment variable is used by some web client libraries to specify a remote proxy server. An unauthenticated, remote attacker can exploit this, via a crafted 'Proxy' header in an HTTP request, to redirect an application's internal HTTP traffic to an arbitrary proxy server where it may be observed or manipulated. Note that Nessus has not tested for this issue but has instead relied only on the application's self-reported version number.
    last seen 2019-02-21
    modified 2018-11-15
    plugin id 92495
    published 2016-07-21
    reporter Tenable
    source https://www.tenable.com/plugins/index.php?view=single&id=92495
    title Drupal 8.x < 8.1.7 PHP HTTP_PROXY Environment Variable Namespace Collision Vulnerability (httpoxy)
  • NASL family Misc.
    NASL id ORACLE_ENTERPRISE_MANAGER_JUL_2017_CPU.NASL
    description The version of Oracle Enterprise Manager Grid Control installed on the remote host is missing a security patch. It is, therefore, affected by multiple vulnerabilities : - A flaw exists in the Bouncy Castle Java library due to improper validation of a point within the elliptic curve. An unauthenticated, remote attacker can exploit this to obtain private keys by using a series of specially crafted elliptic curve Diffie-Hellman (ECDH) key exchanges, also known as an 'invalid curve attack.' (CVE-2015-7940) - A flaw exists in the PathTools module for Perl in the File::Spec::canonpath() function that is triggered as strings are returned as untainted even when passing tainted input. An unauthenticated, remote attacker can exploit this to pass unvalidated user input to sensitive or insecure areas. (CVE-2015-8607) - An overflow condition exists in Perl in the MapPathA() function due to improper validation of user-supplied input. An unauthenticated, remote attacker can exploit this to cause a denial of service condition or the execution of arbitrary code. (CVE-2015-8608) - A remote code execution vulnerability exists in the Apache Struts component due to improper handling of multithreaded access to an ActionForm instance. An unauthenticated, remote attacker can exploit this, via a specially crafted multipart request, to execute arbitrary code or cause a denial of service condition. (CVE-2016-1181) - A flaw exists in Perl that is triggered during the handling of variables that appear twice in the environment (envp), causing the last value to appear in %ENV, while getenv would return the first. An unauthenticated, remote attacker can exploit this to cause variables to be incorrectly propagated to subprocesses, regardless of the protections offered by taint checking. (CVE-2016-2381) - A denial of service vulnerability exists in the Apache Commons FileUpload component due to improper handling of boundaries in content-type headers when handling file upload requests. An unauthenticated, remote attacker can exploit this to cause processes linked against the library to become unresponsive. (CVE-2016-3092) - A man-in-the-middle vulnerability exists in various components, known as 'httpoxy', due to a failure to properly resolve namespace conflicts in accordance with RFC 3875 section 4.1.18. The HTTP_PROXY environment variable is set based on untrusted user data in the 'Proxy' header of HTTP requests. The HTTP_PROXY environment variable is used by some web client libraries to specify a remote proxy server. An unauthenticated, remote attacker can exploit this, via a crafted 'Proxy' header in an HTTP request, to redirect an application's internal HTTP traffic to an arbitrary proxy server where it may be observed or manipulated. (CVE-2016-5385, CVE-2016-5386, CVE-2016-5387, CVE-2016-5388) - A carry propagating error exists in the OpenSSL component in the x86_64 Montgomery squaring implementation that may cause the BN_mod_exp() function to produce incorrect results. An unauthenticated, remote attacker with sufficient resources can exploit this to obtain sensitive information regarding private keys. Moreover, the attacker would additionally need online access to an unpatched system using the target private key in a scenario with persistent DH parameters and a private key that is shared between multiple clients. For example, this can occur by default in OpenSSL DHE based SSL/TLS cipher suites. (CVE-2017-3732) - An unspecified flaw exists in the UI Framework component that allows authenticated, remote attacker to have an impact on integrity. (CVE-2017-10091)
    last seen 2019-02-21
    modified 2018-07-16
    plugin id 101837
    published 2017-07-20
    reporter Tenable
    source https://www.tenable.com/plugins/index.php?view=single&id=101837
    title Oracle Enterprise Manager Grid Control Multiple Vulnerabilities (July 2017 CPU) (httpoxy)
  • NASL family CGI abuses
    NASL id PHP_7_0_9.NASL
    description According to its banner, the version of PHP running on the remote web server is 7.0.x prior to 7.0.9. It is, therefore, affected by multiple vulnerabilities : - A man-in-the-middle vulnerability exists, known as 'httpoxy', due to a failure to properly resolve namespace conflicts in accordance with RFC 3875 section 4.1.18. The HTTP_PROXY environment variable is set based on untrusted user data in the 'Proxy' header of HTTP requests. The HTTP_PROXY environment variable is used by some web client libraries to specify a remote proxy server. An unauthenticated, remote attacker can exploit this, via a crafted 'Proxy' header in an HTTP request, to redirect an application's internal HTTP traffic to an arbitrary proxy server where it may be observed or manipulated. (CVE-2016-5385) - An overflow condition exists in the php_bz2iop_read() function within file ext/bz2/bz2.c due to improper handling of error conditions. An unauthenticated, remote attacker can exploit this, via a crafted request, to execute arbitrary code. (CVE-2016-5399) - A flaw exists in the GD Graphics Library (libgd), specifically in the gdImageScaleTwoPass() function within file gd_interpolation.c, due to improper validation of user-supplied input. An unauthenticated, remote attacker can exploit this to cause a denial of service condition. (CVE-2016-6207) - An integer overflow condition exists in the virtual_file_ex() function within file Zend/zend_virtual_cwd.c due to improper validation of user-supplied input. An unauthenticated, remote attacker can exploit this to cause a denial of service condition or the execution of arbitrary code. (CVE-2016-6289) - A use-after-free error exists within the file ext/session/session.c when handling 'var_hash' destruction. An unauthenticated, remote attacker can exploit this to deference already freed memory, resulting in the execution of arbitrary code. (CVE-2016-6290) - An out-of-bounds read error exists in the exif_process_IFD_in_MAKERNOTE() function within file ext/exif/exif.c. An unauthenticated, remote attacker can exploit this to cause a denial of service condition or disclose memory contents. (CVE-2016-6291) - A NULL pointer dereference flaw exists in the exif_process_user_comment() function within file ext/exif/exif.c. An unauthenticated, remote attacker can exploit this to cause a denial of service condition. (CVE-2016-6292) - Multiple out-of-bounds read errors exist in the locale_accept_from_http() function within file ext/intl/locale/locale_methods.c. An unauthenticated, remote attacker can exploit these to cause a denial of service condition or disclose memory contents. (CVE-2016-6293, CVE-2016-6294) - A use-after-free error exists within file ext/snmp/snmp.c when handling garbage collection during deserialization of user-supplied input. An unauthenticated, remote attacker can exploit this to deference already freed memory, resulting in the execution of arbitrary code. (CVE-2016-6295) - A heap-based buffer overflow condition exists in the simplestring_addn() function within file simplestring.c due to improper validation of user-supplied input. An unauthenticated, remote attacker can exploit this to cause a denial of service condition or the execution of arbitrary code. (CVE-2016-6296) - An integer overflow condition exists in the php_stream_zip_opener() function within file ext/zip/zip_stream.c due to improper validation of user-supplied input when handling zip streams. An unauthenticated, remote attacker can exploit this to cause a denial of service condition or the execution of arbitrary code. (CVE-2016-6297) - An out-of-bounds read error exists in the GD Graphics Library (libgd), specifically in the gdImageScaleBilinearPalette() function within file gd_interpolation.c, when handling transparent color. An unauthenticated, remote attacker can exploit this to cause a denial of service condition or disclose memory contents. - A heap-based buffer overflow condition exists in the mdecrypt_generic() function within file ext/mcrypt/mcrypt.c due to improper validation of user-supplied input. An unauthenticated, remote attacker can exploit this to cause a denial of service condition or the execution of arbitrary code. - A flaw exists in the curl_unescape() function within file ext/curl/interface.c when handling string lengths. An unauthenticated, remote attacker can exploit this to cause heap corruption, resulting in a denial of service condition. - A heap-based buffer overflow condition exists in the mcrypt_generic() function within file ext/mcrypt/mcrypt.c due to improper validation of user-supplied input. An unauthenticated, remote attacker can exploit this to cause a denial of service condition or the execution of arbitrary code. - A NULL write flaw exists in the GD Graphics Library (libgd) in the gdImageColorTransparent() function due to improper handling of negative transparent colors. A remote attacker can exploit this to disclose memory contents.
    last seen 2019-02-21
    modified 2019-01-02
    plugin id 92556
    published 2016-07-26
    reporter Tenable
    source https://www.tenable.com/plugins/index.php?view=single&id=92556
    title PHP 7.0.x < 7.0.9 Multiple Vulnerabilities (httpoxy)
  • NASL family CentOS Local Security Checks
    NASL id CENTOS_RHSA-2016-1613.NASL
    description An update for php is now available for Red Hat Enterprise Linux 7. Red Hat Product Security has rated this update as having a security impact of Moderate. A Common Vulnerability Scoring System (CVSS) base score, which gives a detailed severity rating, is available for each vulnerability from the CVE link(s) in the References section. PHP is an HTML-embedded scripting language commonly used with the Apache HTTP Server. Security Fix(es) : * It was discovered that PHP did not properly protect against the HTTP_PROXY variable name clash. A remote attacker could possibly use this flaw to redirect HTTP requests performed by a PHP script to an attacker-controlled proxy via a malicious HTTP request. (CVE-2016-5385) Red Hat would like to thank Scott Geary (VendHQ) for reporting this issue. Bug Fix(es) : * Previously, an incorrect logic in the SAPI header callback routine caused that the callback counter was not incremented. Consequently, when a script included a header callback, it could terminate unexpectedly with a segmentation fault. With this update, the callback counter is properly managed, and scripts with a header callback implementation work as expected. (BZ#1346758)
    last seen 2019-02-21
    modified 2018-11-10
    plugin id 92952
    published 2016-08-15
    reporter Tenable
    source https://www.tenable.com/plugins/index.php?view=single&id=92952
    title CentOS 7 : php (CESA-2016:1613) (httpoxy)
  • NASL family Fedora Local Security Checks
    NASL id FEDORA_2016-E2C8F5F95A.NASL
    description ## 5.3.1 - 2016-07-18 - Address HTTP_PROXY security vulnerability, CVE-2016-5385: https://httpoxy.org/ - Event name fix: https://github.com/guzzle/guzzle/commit/fcae91ff31de41e3 12fe113ec3acbcda31b2622e - Response header case sensitivity fix: https://github.com/guzzle/guzzle/commit/043eeadf20ee40dd c6712faee4d3957a91f2b041 Note that Tenable Network Security has extracted the preceding description block directly from the Fedora update system website. Tenable has attempted to automatically clean and format it as much as possible without introducing additional issues.
    last seen 2019-02-21
    modified 2016-10-24
    plugin id 92621
    published 2016-07-29
    reporter Tenable
    source https://www.tenable.com/plugins/index.php?view=single&id=92621
    title Fedora 23 : php-guzzlehttp-guzzle (2016-e2c8f5f95a) (httpoxy)
  • NASL family Red Hat Local Security Checks
    NASL id REDHAT-RHSA-2016-1613.NASL
    description An update for php is now available for Red Hat Enterprise Linux 7. Red Hat Product Security has rated this update as having a security impact of Moderate. A Common Vulnerability Scoring System (CVSS) base score, which gives a detailed severity rating, is available for each vulnerability from the CVE link(s) in the References section. PHP is an HTML-embedded scripting language commonly used with the Apache HTTP Server. Security Fix(es) : * It was discovered that PHP did not properly protect against the HTTP_PROXY variable name clash. A remote attacker could possibly use this flaw to redirect HTTP requests performed by a PHP script to an attacker-controlled proxy via a malicious HTTP request. (CVE-2016-5385) Red Hat would like to thank Scott Geary (VendHQ) for reporting this issue. Bug Fix(es) : * Previously, an incorrect logic in the SAPI header callback routine caused that the callback counter was not incremented. Consequently, when a script included a header callback, it could terminate unexpectedly with a segmentation fault. With this update, the callback counter is properly managed, and scripts with a header callback implementation work as expected. (BZ#1346758)
    last seen 2019-02-21
    modified 2018-11-10
    plugin id 92941
    published 2016-08-12
    reporter Tenable
    source https://www.tenable.com/plugins/index.php?view=single&id=92941
    title RHEL 7 : php (RHSA-2016:1613) (httpoxy)
  • NASL family Fedora Local Security Checks
    NASL id FEDORA_2016-9C8CF5912C.NASL
    description ## 6.2.1 - 2016-07-18 - Address HTTP_PROXY security vulnerability, CVE-2016-5385: https://httpoxy.org/ - Fixing timeout bug with StreamHandler: https://github.com/guzzle/guzzle/pull/1488 - Only read up to `Content-Length` in PHP StreamHandler to avoid timeouts when a server does not honor `Connection: close`. - Ignore URI fragment when sending requests. Note that Tenable Network Security has extracted the preceding description block directly from the Fedora update system website. Tenable has attempted to automatically clean and format it as much as possible without introducing additional issues.
    last seen 2019-02-21
    modified 2016-10-24
    plugin id 92618
    published 2016-07-29
    reporter Tenable
    source https://www.tenable.com/plugins/index.php?view=single&id=92618
    title Fedora 23 : php-guzzlehttp-guzzle6 (2016-9c8cf5912c) (httpoxy)
  • NASL family Fedora Local Security Checks
    NASL id FEDORA_2016-4E7DB3D437.NASL
    description ## 6.2.1 - 2016-07-18 - Address HTTP_PROXY security vulnerability, CVE-2016-5385: https://httpoxy.org/ - Fixing timeout bug with StreamHandler: https://github.com/guzzle/guzzle/pull/1488 - Only read up to `Content-Length` in PHP StreamHandler to avoid timeouts when a server does not honor `Connection: close`. - Ignore URI fragment when sending requests. Note that Tenable Network Security has extracted the preceding description block directly from the Fedora update system website. Tenable has attempted to automatically clean and format it as much as possible without introducing additional issues.
    last seen 2019-02-21
    modified 2016-10-24
    plugin id 92616
    published 2016-07-29
    reporter Tenable
    source https://www.tenable.com/plugins/index.php?view=single&id=92616
    title Fedora 24 : php-guzzlehttp-guzzle6 (2016-4e7db3d437) (httpoxy)
  • NASL family Fedora Local Security Checks
    NASL id FEDORA_2016-AEF8A45AFE.NASL
    description ## 5.3.1 - 2016-07-18 - Address HTTP_PROXY security vulnerability, CVE-2016-5385: https://httpoxy.org/ - Event name fix: https://github.com/guzzle/guzzle/commit/fcae91ff31de41e3 12fe113ec3acbcda31b2622e - Response header case sensitivity fix: https://github.com/guzzle/guzzle/commit/043eeadf20ee40dd c6712faee4d3957a91f2b041 Note that Tenable Network Security has extracted the preceding description block directly from the Fedora update system website. Tenable has attempted to automatically clean and format it as much as possible without introducing additional issues.
    last seen 2019-02-21
    modified 2016-10-24
    plugin id 92619
    published 2016-07-29
    reporter Tenable
    source https://www.tenable.com/plugins/index.php?view=single&id=92619
    title Fedora 24 : php-guzzlehttp-guzzle (2016-aef8a45afe) (httpoxy)
  • NASL family Debian Local Security Checks
    NASL id DEBIAN_DSA-3631.NASL
    description Several vulnerabilities were found in PHP, a general-purpose scripting language commonly used for web application development. The vulnerabilities are addressed by upgrading PHP to the new upstream version 5.6.24, which includes additional bug fixes. Please refer to the upstream changelog for more information :
    last seen 2019-02-21
    modified 2018-11-10
    plugin id 92573
    published 2016-07-27
    reporter Tenable
    source https://www.tenable.com/plugins/index.php?view=single&id=92573
    title Debian DSA-3631-1 : php5 - security update (httpoxy)
  • NASL family Debian Local Security Checks
    NASL id DEBIAN_DLA-749.NASL
    description CVE-2016-5385 PHP through 7.0.8 does not attempt to address RFC 3875 section 4.1.18 namespace conflicts and therefore does not protect applications from the presence of untrusted client data in the HTTP_PROXY environment variable, which might allow remote attackers to redirect an application's outbound HTTP traffic to an arbitrary proxy server via a crafted Proxy header in an HTTP request, as demonstrated by (1) an application that makes a getenv('HTTP_PROXY') call or (2) a CGI configuration of PHP, aka an 'httpoxy' issue. CVE-2016-7124 ext/standard/var_unserializer.c in PHP before 5.6.25 and 7.x before 7.0.10 mishandles certain invalid objects, which allows remote attackers to cause a denial of service or possibly have unspecified other impact via crafted serialized data that leads to a (1) __destruct call or (2) magic method call. CVE-2016-7128 The exif_process_IFD_in_TIFF function in ext/exif/exif.c in PHP before 5.6.25 and 7.x before 7.0.10 mishandles the case of a thumbnail offset that exceeds the file size, which allows remote attackers to obtain sensitive information from process memory via a crafted TIFF image. CVE-2016-7129 The php_wddx_process_data function in ext/wddx/wddx.c in PHP before 5.6.25 and 7.x before 7.0.10 allows remote attackers to cause a denial of service (segmentation fault) or possibly have unspecified other impact via an invalid ISO 8601 time value, as demonstrated by a wddx_deserialize call that mishandles a dateTime element in a wddxPacket XML document. CVE-2016-7130 The php_wddx_pop_element function in ext/wddx/wddx.c in PHP before 5.6.25 and 7.x before 7.0.10 allows remote attackers to cause a denial of service (NULL pointer dereference and application crash) or possibly have unspecified other impact via an invalid base64 binary value, as demonstrated by a wddx_deserialize call that mishandles a binary element in a wddxPacket XML document. CVE-2016-7131 ext/wddx/wddx.c in PHP before 5.6.25 and 7.x before 7.0.10 allows remote attackers to cause a denial of service (NULL pointer dereference and application crash) or possibly have unspecified other impact via a malformed wddxPacket XML document that is mishandled in a wddx_deserialize call, as demonstrated by a tag that lacks a < (less than) character. CVE-2016-7132 ext/wddx/wddx.c in PHP before 5.6.25 and 7.x before 7.0.10 allows remote attackers to cause a denial of service (NULL pointer dereference and application crash) or possibly have unspecified other impact via an invalid wddxPacket XML document that is mishandled in a wddx_deserialize call, as demonstrated by a stray element inside a boolean element, leading to incorrect pop processing. CVE-2016-7411 ext/standard/var_unserializer.re in PHP before 5.6.26 mishandles object-deserialization failures, which allows remote attackers to cause a denial of service (memory corruption) or possibly have unspecified other impact via an unserialize call that references a partially constructed object. CVE-2016-7412 ext/mysqlnd/mysqlnd_wireprotocol.c in PHP before 5.6.26 and 7.x before 7.0.11 does not verify that a BIT field has the UNSIGNED_FLAG flag, which allows remote MySQL servers to cause a denial of service (heap-based buffer overflow) or possibly have unspecified other impact via crafted field metadata. CVE-2016-7413 Use-after-free vulnerability in the wddx_stack_destroy function in ext/wddx/wddx.c in PHP before 5.6.26 and 7.x before 7.0.11 allows remote attackers to cause a denial of service or possibly have unspecified other impact via a wddxPacket XML document that lacks an end-tag for a recordset field element, leading to mishandling in a wddx_deserialize call. CVE-2016-7414 The ZIP signature-verification feature in PHP before 5.6.26 and 7.x before 7.0.11 does not ensure that the uncompressed_filesize field is large enough, which allows remote attackers to cause a denial of service (out-of-bounds memory access) or possibly have unspecified other impact via a crafted PHAR archive, related to ext/phar/util.c and ext/phar/zip.c. CVE-2016-7416 ext/intl/msgformat/msgformat_format.c in PHP before 5.6.26 and 7.x before 7.0.11 does not properly restrict the locale length provided to the Locale class in the ICU library, which allows remote attackers to cause a denial of service (application crash) or possibly have unspecified other impact via a MessageFormatter::formatMessage call with a long first argument. CVE-2016-7417 ext/spl/spl_array.c in PHP before 5.6.26 and 7.x before 7.0.11 proceeds with SplArray unserialization without validating a return value and data type, which allows remote attackers to cause a denial of service or possibly have unspecified other impact via crafted serialized data. CVE-2016-7418 The php_wddx_push_element function in ext/wddx/wddx.c in PHP before 5.6.26 and 7.x before 7.0.11 allows remote attackers to cause a denial of service (invalid pointer access and out-of-bounds read) or possibly have unspecified other impact via an incorrect boolean element in a wddxPacket XML document, leading to mishandling in a wddx_deserialize call. For Debian 7 'Wheezy', these problems have been fixed in version 5.4.45-0+deb7u6. We recommend that you upgrade your php5 packages. NOTE: Tenable Network Security has extracted the preceding description block directly from the DLA security advisory. Tenable has attempted to automatically clean and format it as much as possible without introducing additional issues.
    last seen 2019-02-21
    modified 2018-07-09
    plugin id 96010
    published 2016-12-20
    reporter Tenable
    source https://www.tenable.com/plugins/index.php?view=single&id=96010
    title Debian DLA-749-1 : php5 security update (httpoxy)
  • NASL family Scientific Linux Local Security Checks
    NASL id SL_20160811_PHP_ON_SL6_X.NASL
    description Security Fix(es) : - It was discovered that PHP did not properly protect against the HTTP_PROXY variable name clash. A remote attacker could possibly use this flaw to redirect HTTP requests performed by a PHP script to an attacker- controlled proxy via a malicious HTTP request. (CVE-2016-5385)
    last seen 2019-02-21
    modified 2018-12-28
    plugin id 92965
    published 2016-08-15
    reporter Tenable
    source https://www.tenable.com/plugins/index.php?view=single&id=92965
    title Scientific Linux Security Update : php on SL6.x i386/x86_64 (httpoxy)
  • NASL family Ubuntu Local Security Checks
    NASL id UBUNTU_USN-3045-1.NASL
    description It was discovered that PHP incorrectly handled certain SplMinHeap::compare operations. A remote attacker could use this issue to cause PHP to crash, resulting in a denial of service, or possibly execute arbitrary code. This issue only affected Ubuntu 12.04 LTS and Ubuntu 14.04 LTS. (CVE-2015-4116) It was discovered that PHP incorrectly handled recursive method calls. A remote attacker could use this issue to cause PHP to crash, resulting in a denial of service. This issue only affected Ubuntu 12.04 LTS and Ubuntu 14.04 LTS. (CVE-2015-8873) It was discovered that PHP incorrectly validated certain Exception objects when unserializing data. A remote attacker could use this issue to cause PHP to crash, resulting in a denial of service, or possibly execute arbitrary code. This issue only affected Ubuntu 12.04 LTS and Ubuntu 14.04 LTS. (CVE-2015-8876) It was discovered that PHP header() function performed insufficient filtering for Internet Explorer. A remote attacker could possibly use this issue to perform a XSS attack. This issue only affected Ubuntu 12.04 LTS and Ubuntu 14.04 LTS. (CVE-2015-8935) It was discovered that PHP incorrectly handled certain locale operations. An attacker could use this issue to cause PHP to crash, resulting in a denial of service. This issue only affected Ubuntu 12.04 LTS and Ubuntu 14.04 LTS. (CVE-2016-5093) It was discovered that the PHP php_html_entities() function incorrectly handled certain string lengths. A remote attacker could use this issue to cause PHP to crash, resulting in a denial of service, or possibly execute arbitrary code. This issue only affected Ubuntu 12.04 LTS and Ubuntu 14.04 LTS. (CVE-2016-5094, CVE-2016-5095) It was discovered that the PHP fread() function incorrectly handled certain lengths. An attacker could use this issue to cause PHP to crash, resulting in a denial of service, or possibly execute arbitrary code. This issue only affected Ubuntu 12.04 LTS and Ubuntu 14.04 LTS. (CVE-2016-5096) It was discovered that the PHP FastCGI Process Manager (FPM) SAPI incorrectly handled memory in the access logging feature. An attacker could use this issue to cause PHP to crash, resulting in a denial of service, or possibly expose sensitive information. This issue only affected Ubuntu 12.04 LTS and Ubuntu 14.04 LTS. (CVE-2016-5114) It was discovered that PHP would not protect applications from contents of the HTTP_PROXY environment variable when based on the contents of the Proxy header from HTTP requests. A remote attacker could possibly use this issue in combination with scripts that honour the HTTP_PROXY variable to redirect outgoing HTTP requests. (CVE-2016-5385) Hans Jerry Illikainen discovered that the PHP bzread() function incorrectly performed error handling. A remote attacker could use this issue to cause PHP to crash, resulting in a denial of service, or possibly execute arbitrary code. (CVE-2016-5399) It was discovered that certain PHP multibyte string functions incorrectly handled memory. A remote attacker could use this issue to cause PHP to crash, resulting in a denial of service, or possibly execute arbitrary code. This issue only affected Ubuntu 14.04 LTS. (CVE-2016-5768) It was discovered that the PHP Mcrypt extension incorrectly handled memory. A remote attacker could use this issue to cause PHP to crash, resulting in a denial of service, or possibly execute arbitrary code. This issue only affected Ubuntu 12.04 LTS and Ubuntu 14.04 LTS. (CVE-2016-5769) It was discovered that the PHP garbage collector incorrectly handled certain objects when unserializing malicious data. A remote attacker could use this issue to cause PHP to crash, resulting in a denial of service, or possibly execute arbitrary code. This issue was only addressed in Ubuntu Ubuntu 14.04 LTS. (CVE-2016-5771, CVE-2016-5773) It was discovered that PHP incorrectly handled memory when unserializing malicious xml data. A remote attacker could use this issue to cause PHP to crash, resulting in a denial of service, or possibly execute arbitrary code. This issue only affected Ubuntu 12.04 LTS and Ubuntu 14.04 LTS. (CVE-2016-5772) It was discovered that the PHP php_url_parse_ex() function incorrectly handled string termination. A remote attacker could use this issue to cause PHP to crash, resulting in a denial of service, or possibly execute arbitrary code. This issue only affected Ubuntu 12.04 LTS and Ubuntu 14.04 LTS. (CVE-2016-6288) It was discovered that PHP incorrectly handled path lengths when extracting certain Zip archives. A remote attacker could use this issue to cause PHP to crash, resulting in a denial of service, or possibly execute arbitrary code. (CVE-2016-6289) It was discovered that PHP incorrectly handled session deserialization. A remote attacker could use this issue to cause PHP to crash, resulting in a denial of service, or possibly execute arbitrary code. (CVE-2016-6290) It was discovered that PHP incorrectly handled exif headers when processing certain JPEG images. A remote attacker could use this issue to cause PHP to crash, resulting in a denial of service, or possibly execute arbitrary code. (CVE-2016-6291, CVE-2016-6292) It was discovered that PHP incorrectly handled certain locale operations. A remote attacker could use this issue to cause PHP to crash, resulting in a denial of service, or possibly execute arbitrary code. (CVE-2016-6294) It was discovered that the PHP garbage collector incorrectly handled certain objects when unserializing SNMP data. A remote attacker could use this issue to cause PHP to crash, resulting in a denial of service, or possibly execute arbitrary code. This issue only affected Ubuntu 14.04 LTS and Ubuntu 16.04 LTS. (CVE-2016-6295) It was discovered that the PHP xmlrpc_encode_request() function incorrectly handled certain lengths. An attacker could use this issue to cause PHP to crash, resulting in a denial of service, or possibly execute arbitrary code. (CVE-2016-6296) It was discovered that the PHP php_stream_zip_opener() function incorrectly handled memory. An attacker could use this issue to cause PHP to crash, resulting in a denial of service, or possibly execute arbitrary code. (CVE-2016-6297). Note that Tenable Network Security has extracted the preceding description block directly from the Ubuntu security advisory. Tenable has attempted to automatically clean and format it as much as possible without introducing additional issues.
    last seen 2019-02-21
    modified 2018-12-01
    plugin id 92699
    published 2016-08-03
    reporter Tenable
    source https://www.tenable.com/plugins/index.php?view=single&id=92699
    title Ubuntu 12.04 LTS / 14.04 LTS / 16.04 LTS : php5, php7.0 vulnerabilities (USN-3045-1) (httpoxy)
  • NASL family Scientific Linux Local Security Checks
    NASL id SL_20160811_PHP_ON_SL7_X.NASL
    description Security Fix(es) : - It was discovered that PHP did not properly protect against the HTTP_PROXY variable name clash. A remote attacker could possibly use this flaw to redirect HTTP requests performed by a PHP script to an attacker- controlled proxy via a malicious HTTP request. (CVE-2016-5385) Bug Fix(es) : - Previously, an incorrect logic in the SAPI header callback routine caused that the callback counter was not incremented. Consequently, when a script included a header callback, it could terminate unexpectedly with a segmentation fault. With this update, the callback counter is properly managed, and scripts with a header callback implementation work as expected.
    last seen 2019-02-21
    modified 2018-12-28
    plugin id 92997
    published 2016-08-17
    reporter Tenable
    source https://www.tenable.com/plugins/index.php?view=single&id=92997
    title Scientific Linux Security Update : php on SL7.x x86_64 (httpoxy)
  • NASL family Web Servers
    NASL id HTTP_HTTPOXY.NASL
    description The web application running on the remote web server is affected by a man-in-the-middle vulnerability known as 'httpoxy' due to a failure to properly resolve namespace conflicts in accordance with RFC 3875 section 4.1.18. The HTTP_PROXY environment variable is set based on untrusted user data in the 'Proxy' header of HTTP requests. The HTTP_PROXY environment variable is used by some web client libraries to specify a remote proxy server. An unauthenticated, remote attacker can exploit this, via a crafted 'Proxy' header in an HTTP request, to redirect an application's internal HTTP traffic to an arbitrary proxy server where it may be observed or manipulated.
    last seen 2019-02-21
    modified 2018-11-15
    plugin id 92539
    published 2016-07-25
    reporter Tenable
    source https://www.tenable.com/plugins/index.php?view=single&id=92539
    title HTTP_PROXY Environment Variable Namespace Collision Vulnerability (httpoxy)
  • NASL family FreeBSD Local Security Checks
    NASL id FREEBSD_PKG_B6402385533B11E6A7BD14DAE9D210B8.NASL
    description PHP reports : - Fixed bug #69975 (PHP segfaults when accessing nvarchar(max) defined columns) - Fixed bug #72479 (Use After Free Vulnerability in SNMP with GC and unserialize()). - Fixed bug #72512 (gdImageTrueColorToPaletteBody allows arbitrary write/read access). - Fixed bug #72519 (imagegif/output out-of-bounds access). - Fixed bug #72520 (Stack-based buffer overflow vulnerability in php_stream_zip_opener). - Fixed bug #72533 (locale_accept_from_http out-of-bounds access). - Fixed bug #72541 (size_t overflow lead to heap corruption). - Fixed bug #72551, bug #72552 (Incorrect casting from size_t to int lead to heap overflow in mdecrypt_generic). - Fixed bug #72558 (Integer overflow error within _gdContributionsAlloc()). - Fixed bug #72573 (HTTP_PROXY is improperly trusted by some PHP libraries and applications). - Fixed bug #72603 (Out of bound read in exif_process_IFD_in_MAKERNOTE). - Fixed bug #72606 (heap-buffer-overflow (write) simplestring_addn simplestring.c). - Fixed bug #72613 (Inadequate error handling in bzread()). - Fixed bug #72618 (NULL pointer Dereference in exif_process_user_comment).
    last seen 2019-02-21
    modified 2018-11-23
    plugin id 92574
    published 2016-07-27
    reporter Tenable
    source https://www.tenable.com/plugins/index.php?view=single&id=92574
    title FreeBSD : php -- multiple vulnerabilities (b6402385-533b-11e6-a7bd-14dae9d210b8) (httpoxy)
  • NASL family SuSE Local Security Checks
    NASL id OPENSUSE-2016-921.NASL
    description This update for php5 fixes the following issues : - It is possible to launch a web server with 'php -S localhost:8080' It used to be possible to set an arbitrary $HTTP_PROXY environment variable for request handlers -- like CGI scripts -- by including a specially crafted HTTP header in the request (CVE-2016-5385). As a result, these server components would potentially direct all their outgoing HTTP traffic through a malicious proxy server. This patch fixes the issue: the updated php server ignores such HTTP headers and never sets $HTTP_PROXY for sub-processes. (bnc#988486) - There was multiple cases where a remote attacker could trigger a double free and, given specific PHP code using callbacks, trigger code execution vectors. (bnc#986246,bnc#986244,CVE-2016-5768,CVE-2016-5772) - It was possible to inject header or content information (XSS) when a user was using internet explorer as the browser. (bnc#986004, CVE-2015-8935) - In several cases it was possible for a integer overflow to trigger an excessive memory allocation (bnc#986392, bnc#986388, bnc#986386, bnc#986393, CVE-2016-5770, CVE-2016-5769, CVE-2016-5766, CVE-2016-5767) - It was possible for an attacker to abuse the garbage collector to free a target array. At this point an attacker could craft a fake zval object and exploit the PHP process by taking over the EIP/RIP. (bnc#986391, CVE-2016-5771) This update was imported from the SUSE:SLE-12:Update update project.
    last seen 2019-02-21
    modified 2016-10-24
    plugin id 92714
    published 2016-08-04
    reporter Tenable
    source https://www.tenable.com/plugins/index.php?view=single&id=92714
    title openSUSE Security Update : php5 (openSUSE-2016-921) (httpoxy)
  • NASL family Oracle Linux Local Security Checks
    NASL id ORACLELINUX_ELSA-2016-1609.NASL
    description From Red Hat Security Advisory 2016:1609 : An update for php is now available for Red Hat Enterprise Linux 6. Red Hat Product Security has rated this update as having a security impact of Moderate. A Common Vulnerability Scoring System (CVSS) base score, which gives a detailed severity rating, is available for each vulnerability from the CVE link(s) in the References section. PHP is an HTML-embedded scripting language commonly used with the Apache HTTP Server. Security Fix(es) : * It was discovered that PHP did not properly protect against the HTTP_PROXY variable name clash. A remote attacker could possibly use this flaw to redirect HTTP requests performed by a PHP script to an attacker-controlled proxy via a malicious HTTP request. (CVE-2016-5385) Red Hat would like to thank Scott Geary (VendHQ) for reporting this issue.
    last seen 2019-02-21
    modified 2018-07-24
    plugin id 92936
    published 2016-08-12
    reporter Tenable
    source https://www.tenable.com/plugins/index.php?view=single&id=92936
    title Oracle Linux 6 : php (ELSA-2016-1609) (httpoxy)
  • NASL family Red Hat Local Security Checks
    NASL id REDHAT-RHSA-2016-1609.NASL
    description An update for php is now available for Red Hat Enterprise Linux 6. Red Hat Product Security has rated this update as having a security impact of Moderate. A Common Vulnerability Scoring System (CVSS) base score, which gives a detailed severity rating, is available for each vulnerability from the CVE link(s) in the References section. PHP is an HTML-embedded scripting language commonly used with the Apache HTTP Server. Security Fix(es) : * It was discovered that PHP did not properly protect against the HTTP_PROXY variable name clash. A remote attacker could possibly use this flaw to redirect HTTP requests performed by a PHP script to an attacker-controlled proxy via a malicious HTTP request. (CVE-2016-5385) Red Hat would like to thank Scott Geary (VendHQ) for reporting this issue.
    last seen 2019-02-21
    modified 2018-11-10
    plugin id 92940
    published 2016-08-12
    reporter Tenable
    source https://www.tenable.com/plugins/index.php?view=single&id=92940
    title RHEL 6 : php (RHSA-2016:1609) (httpoxy)
  • NASL family CentOS Local Security Checks
    NASL id CENTOS_RHSA-2016-1609.NASL
    description An update for php is now available for Red Hat Enterprise Linux 6. Red Hat Product Security has rated this update as having a security impact of Moderate. A Common Vulnerability Scoring System (CVSS) base score, which gives a detailed severity rating, is available for each vulnerability from the CVE link(s) in the References section. PHP is an HTML-embedded scripting language commonly used with the Apache HTTP Server. Security Fix(es) : * It was discovered that PHP did not properly protect against the HTTP_PROXY variable name clash. A remote attacker could possibly use this flaw to redirect HTTP requests performed by a PHP script to an attacker-controlled proxy via a malicious HTTP request. (CVE-2016-5385) Red Hat would like to thank Scott Geary (VendHQ) for reporting this issue.
    last seen 2019-02-21
    modified 2018-11-10
    plugin id 92872
    published 2016-08-12
    reporter Tenable
    source https://www.tenable.com/plugins/index.php?view=single&id=92872
    title CentOS 6 : php (CESA-2016:1609) (httpoxy)
  • NASL family Web Servers
    NASL id HPSMH_7_6.NASL
    description According to its banner, the version of HP System Management Homepage (SMH) hosted on the remote web server is prior to 7.6. It is, therefore, affected by the following vulnerabilities : - A heap buffer overflow condition exists in OpenSSL in the EVP_EncodeUpdate() function within file crypto/evp/encode.c that is triggered when handling a large amount of input data. An unauthenticated, remote attacker can exploit this to cause a denial of service condition. (CVE-2016-2105) - A heap buffer overflow condition exists in OpenSSL in the EVP_EncryptUpdate() function within file crypto/evp/evp_enc.c that is triggered when handling a large amount of input data after a previous call occurs to the same function with a partial block. An unauthenticated, remote attacker can exploit this to cause a denial of service condition. (CVE-2016-2106) - Multiple flaws exist OpenSSL in the aesni_cbc_hmac_sha1_cipher() function in file crypto/evp/e_aes_cbc_hmac_sha1.c and the aesni_cbc_hmac_sha256_cipher() function in file crypto/evp/e_aes_cbc_hmac_sha256.c that are triggered when the connection uses an AES-CBC cipher and AES-NI is supported by the server. A man-in-the-middle attacker can exploit these to conduct a padding oracle attack, resulting in the ability to decrypt the network traffic. (CVE-2016-2107) - Multiple unspecified flaws exist in OpenSSL in the d2i BIO functions when reading ASN.1 data from a BIO due to invalid encoding causing a large allocation of memory. An unauthenticated, remote attacker can exploit these to cause a denial of service condition through resource exhaustion. (CVE-2016-2109) - A certificate validation bypass vulnerability exists in cURL and libcurl due to improper validation of TLS certificates. A man-in-the-middle attacker can exploit this, via a spoofed certificate that appears valid, to disclose or manipulate transmitted data. (CVE-2016-3739) - An integer overflow condition exists in PHP in the php_raw_url_encode() function within file ext/standard/url.c due to improper validation of user-supplied input. An unauthenticated, remote attacker can exploit this to have an unspecified impact. (CVE-2016-4070) - A flaw exists in PHP in the php_snmp_error() function within file ext/snmp/snmp.c that is triggered when handling format string specifiers. An unauthenticated, remote attacker can exploit this, via a crafted SNMP object, to cause a denial of service or to execute arbitrary code. (CVE-2016-4071) - An invalid memory write error exists in PHP when handling the path of phar file names that allows an attacker to have an unspecified impact. (CVE-2016-4072) - A remote code execution vulnerability exists in PHP in phar_object.c due to improper handling of zero-length uncompressed data. An unauthenticated, remote attacker can exploit this, via a specially crafted TAR, ZIP, or PHAR file, to cause a denial of service condition or the execution of arbitrary code. (CVE-2016-4342) - A remote code execution vulnerability exists in PHP in the phar_make_dirstream() function within file ext/phar/dirstream.c due to improper handling of ././@LongLink files. An unauthenticated, remote attacker can exploit this, via a specially crafted TAR file, to cause a denial of service condition or the execution of arbitrary code. (CVE-2016-4343) - A cross-site scripting (XSS) vulnerability exists due to improper validation of user-supplied input. An unauthenticated, remote attacker can exploit this, via a specially crafted request, to execute arbitrary script code in a user's browser session. (CVE-2016-4393) - An unspecified HTTP Strict Transport Security (HSTS) bypass vulnerability exists that allows authenticated, remote attackers to disclose sensitive information. (CVE-2016-4394) - A remote code execution vulnerability exists due to an overflow condition in the mod_smh_config.so library caused by improper validation of user-supplied input when parsing the admin-group parameter supplied to the /proxy/SetSMHData endpoint. An unauthenticated, remote attacker can exploit this, via a specially crafted request, to cause a denial of service condition or the execution of arbitrary code. (CVE-2016-4395) - A remote code execution vulnerability exists due to an overflow condition in the mod_smh_config.so library caused by improper validation of user-supplied input when parsing the TKN parameter supplied to the /Proxy/SSO endpoint. An unauthenticated, remote attacker can exploit this, via a specially crafted request, to cause a denial of service condition or the execution of arbitrary code. (CVE-2016-4396) - An out-of-bounds read error exists in PHP in the php_str2num() function in bcmath.c when handling negative scales. An unauthenticated, remote attacker can exploit this, via a crafted call, to cause a denial of service condition or the disclosure of memory contents. (CVE-2016-4537) - A flaw exists in PHP the bcpowmod() function in bcmath.c due to modifying certain data structures without considering whether they are copies of the _zero_, _one_, or _two_ global variables. An unauthenticated, remote attacker can exploit this, via a crafted call, to cause a denial of service condition. (CVE-2016-4538) - A flaw exists in PHP in the xml_parse_into_struct() function in xml.c when handling specially crafted XML contents. An unauthenticated, remote attacker can exploit this to cause a denial of service condition. (CVE-2016-4539) - Multiple out-of-bounds read errors exist in PHP within file ext/intl/grapheme/grapheme_string.c when handling negative offsets in the zif_grapheme_stripos() and zif_grapheme_strpos() functions. An unauthenticated, remote attacker can exploit these issues to cause a denial of service condition or disclose memory contents. (CVE-2016-4540, CVE-2016-4541) - A flaw exists in PHP in the exif_process_IFD_TAG() function in exif.c due to improper construction of spprintf arguments. An unauthenticated, remote attacker can exploit this, via crafted header data, to cause an out-of-bounds read error, resulting in a denial of service condition or the disclosure of memory contents. (CVE-2016-4542) - A flaw exists in PHP in the exif_process_IFD_in_JPEG() function in exif.c due to improper validation of IFD sizes. An unauthenticated, remote attacker can exploit this, via crafted header data, to cause an out-of-bounds read error, resulting in a denial of service condition or the disclosure of memory contents. (CVE-2016-4543) - A man-in-the-middle vulnerability exists, known as 'httpoxy', in the Apache Tomcat, Apache HTTP Server, and PHP components due to a failure to properly resolve namespace conflicts in accordance with RFC 3875 section 4.1.18. The HTTP_PROXY environment variable is set based on untrusted user data in the 'Proxy' header of HTTP requests. The HTTP_PROXY environment variable is used by some web client libraries to specify a remote proxy server. A remote attacker can exploit this, via a crafted 'Proxy' header in an HTTP request, to redirect an application's internal HTTP traffic to an arbitrary proxy server where it may be observed or manipulated. (CVE-2016-5385, CVE-2016-5387, CVE-2016-5388) Note that Nessus has not tested for these issues but has instead relied only on the application's self-reported version number.
    last seen 2019-02-21
    modified 2018-11-15
    plugin id 94654
    published 2016-11-09
    reporter Tenable
    source https://www.tenable.com/plugins/index.php?view=single&id=94654
    title HP System Management Homepage < 7.6 Multiple Vulnerabilities (HPSBMU03653) (httpoxy)
  • NASL family CGI abuses
    NASL id PHP_5_6_24.NASL
    description According to its banner, the version of PHP running on the remote web server is 5.6.x prior to 5.6.24. It is, therefore, affected by multiple vulnerabilities : - A man-in-the-middle vulnerability exists, known as 'httpoxy', due to a failure to properly resolve namespace conflicts in accordance with RFC 3875 section 4.1.18. The HTTP_PROXY environment variable is set based on untrusted user data in the 'Proxy' header of HTTP requests. The HTTP_PROXY environment variable is used by some web client libraries to specify a remote proxy server. An unauthenticated, remote attacker can exploit this, via a crafted 'Proxy' header in an HTTP request, to redirect an application's internal HTTP traffic to an arbitrary proxy server where it may be observed or manipulated. (CVE-2016-5385) - An overflow condition exists in the php_bz2iop_read() function within file ext/bz2/bz2.c due to improper handling of error conditions. An unauthenticated, remote attacker can exploit this, via a crafted request, to execute arbitrary code. (CVE-2016-5399) - A flaw exists in the GD Graphics Library (libgd), specifically in the gdImageScaleTwoPass() function within file gd_interpolation.c, due to improper validation of user-supplied input. An unauthenticated, remote attacker can exploit this to cause a denial of service condition. (CVE-2016-6207) - An integer overflow condition exists in the virtual_file_ex() function within file Zend/zend_virtual_cwd.c due to improper validation of user-supplied input. An unauthenticated, remote attacker can exploit this to cause a denial of service condition or the execution of arbitrary code. (CVE-2016-6289) - A use-after-free error exists within the file ext/session/session.c when handling 'var_hash' destruction. An unauthenticated, remote attacker can exploit this to deference already freed memory, resulting in the execution of arbitrary code. (CVE-2016-6290) - An out-of-bounds read error exists in the exif_process_IFD_in_MAKERNOTE() function within file ext/exif/exif.c. An unauthenticated, remote attacker can exploit this to cause a denial of service condition or disclose memory contents. (CVE-2016-6291) - A NULL pointer dereference flaw exists in the exif_process_user_comment() function within file ext/exif/exif.c. An unauthenticated, remote attacker can exploit this to cause a denial of service condition. (CVE-2016-6292) - Multiple out-of-bounds read errors exist in the locale_accept_from_http() function within file ext/intl/locale/locale_methods.c. An unauthenticated, remote attacker can exploit these to cause a denial of service condition or disclose memory contents. (CVE-2016-6293, CVE-2016-6294) - A use-after-free error exists within file ext/snmp/snmp.c when handling garbage collection during deserialization of user-supplied input. An unauthenticated, remote attacker can exploit this to deference already freed memory, resulting in the execution of arbitrary code. (CVE-2016-6295) - A heap-based buffer overflow condition exists in the simplestring_addn() function within file simplestring.c due to improper validation of user-supplied input. An unauthenticated, remote attacker can exploit this to cause a denial of service condition or the execution of arbitrary code. (CVE-2016-6296) - An integer overflow condition exists in the php_stream_zip_opener() function within file ext/zip/zip_stream.c due to improper validation of user-supplied input when handling zip streams. An unauthenticated, remote attacker can exploit this to cause a denial of service condition or the execution of arbitrary code. (CVE-2016-6297) - An out-of-bounds read error exists in the GD Graphics Library (libgd), specifically in the gdImageScaleBilinearPalette() function within file gd_interpolation.c, when handling transparent color. An unauthenticated, remote attacker can exploit this to cause a denial of service condition or disclose memory contents. - A heap-based buffer overflow condition exists in the mdecrypt_generic() function within file ext/mcrypt/mcrypt.c due to improper validation of user-supplied input. An unauthenticated, remote attacker can exploit this to cause a denial of service condition or the execution of arbitrary code. - A NULL write flaw exists in the GD Graphics Library (libgd) in the gdImageColorTransparent() function due to improper handling of negative transparent colors. A remote attacker can exploit this to disclose memory contents.
    last seen 2019-02-21
    modified 2019-01-02
    plugin id 92555
    published 2016-07-26
    reporter Tenable
    source https://www.tenable.com/plugins/index.php?view=single&id=92555
    title PHP 5.6.x < 5.6.24 Multiple Vulnerabilities (httpoxy)
  • NASL family CGI abuses
    NASL id PHP_5_5_38.NASL
    description According to its banner, the version of PHP running on the remote web server is 5.5.x prior to 5.5.38. It is, therefore, affected by multiple vulnerabilities : - A man-in-the-middle vulnerability exists, known as 'httpoxy', due to a failure to properly resolve namespace conflicts in accordance with RFC 3875 section 4.1.18. The HTTP_PROXY environment variable is set based on untrusted user data in the 'Proxy' header of HTTP requests. The HTTP_PROXY environment variable is used by some web client libraries to specify a remote proxy server. An unauthenticated, remote attacker can exploit this, via a crafted 'Proxy' header in an HTTP request, to redirect an application's internal HTTP traffic to an arbitrary proxy server where it may be observed or manipulated. (CVE-2016-5385) - An overflow condition exists in the php_bz2iop_read() function within file ext/bz2/bz2.c due to improper handling of error conditions. An unauthenticated, remote attacker can exploit this, via a crafted request, to execute arbitrary code. (CVE-2016-5399) - A flaw exists in the GD Graphics Library (libgd), specifically in the gdImageScaleTwoPass() function within file gd_interpolation.c, due to improper validation of user-supplied input. An unauthenticated, remote attacker can exploit this to cause a denial of service condition. (CVE-2016-6207) - An integer overflow condition exists in the virtual_file_ex() function within file Zend/zend_virtual_cwd.c due to improper validation of user-supplied input. An unauthenticated, remote attacker can exploit this to cause a denial of service condition or the execution of arbitrary code. (CVE-2016-6289) - A use-after-free error exists within the file ext/session/session.c when handling 'var_hash' destruction. An unauthenticated, remote attacker can exploit this to deference already freed memory, resulting in the execution of arbitrary code. (CVE-2016-6290) - An out-of-bounds read error exists in the exif_process_IFD_in_MAKERNOTE() function within file ext/exif/exif.c. An unauthenticated, remote attacker can exploit this to cause a denial of service condition or disclose memory contents. (CVE-2016-6291) - A NULL pointer dereference flaw exists in the exif_process_user_comment() function within file ext/exif/exif.c. An unauthenticated, remote attacker can exploit this to cause a denial of service condition. (CVE-2016-6292) - Multiple out-of-bounds read errors exist in the locale_accept_from_http() function within file ext/intl/locale/locale_methods.c. An unauthenticated, remote attacker can exploit these to cause a denial of service condition or disclose memory contents. (CVE-2016-6293, CVE-2016-6294) - A use-after-free error exists within file ext/snmp/snmp.c when handling garbage collection during deserialization of user-supplied input. An unauthenticated, remote attacker can exploit this to deference already freed memory, resulting in the execution of arbitrary code. (CVE-2016-6295) - A heap-based buffer overflow condition exists in the simplestring_addn() function within file simplestring.c due to improper validation of user-supplied input. An unauthenticated, remote attacker can exploit this to cause a denial of service condition or the execution of arbitrary code. (CVE-2016-6296) - An integer overflow condition exists in the php_stream_zip_opener() function within file ext/zip/zip_stream.c due to improper validation of user-supplied input when handling zip streams. An unauthenticated, remote attacker can exploit this to cause a denial of service condition or the execution of arbitrary code. (CVE-2016-6297) - An out-of-bounds read error exists in the GD Graphics Library (libgd), specifically in the gdImageScaleBilinearPalette() function within file gd_interpolation.c, when handling transparent color. An unauthenticated, remote attacker can exploit this to cause a denial of service condition or disclose memory contents. - A heap-based buffer overflow condition exists in the mdecrypt_generic() function within file ext/mcrypt/mcrypt.c due to improper validation of user-supplied input. An unauthenticated, remote attacker can exploit this to cause a denial of service condition or the execution of arbitrary code. - A NULL write flaw exists in the GD Graphics Library (libgd) in the gdImageColorTransparent() function due to improper handling of negative transparent colors. A remote attacker can exploit this to disclose memory contents. - An overflow condition exists in the php_url_prase_ex() function due to improper validation of user-supplied input. A remote attacker can exploit this to cause a buffer overflow, resulting in a denial of service condition.
    last seen 2019-02-21
    modified 2019-01-02
    plugin id 92554
    published 2016-07-26
    reporter Tenable
    source https://www.tenable.com/plugins/index.php?view=single&id=92554
    title PHP 5.5.x < 5.5.38 Multiple Vulnerabilities (httpoxy)
redhat via4
advisories
  • bugzilla
    id 1353794
    title CVE-2016-5385 PHP: sets environmental variable based on user supplied Proxy request header
    oval
    AND
    • OR
      • comment Red Hat Enterprise Linux 6 Client is installed
        oval oval:com.redhat.rhsa:tst:20100842001
      • comment Red Hat Enterprise Linux 6 Server is installed
        oval oval:com.redhat.rhsa:tst:20100842002
      • comment Red Hat Enterprise Linux 6 Workstation is installed
        oval oval:com.redhat.rhsa:tst:20100842003
      • comment Red Hat Enterprise Linux 6 ComputeNode is installed
        oval oval:com.redhat.rhsa:tst:20100842004
    • OR
      • AND
        • comment php is earlier than 0:5.3.3-48.el6_8
          oval oval:com.redhat.rhsa:tst:20161609015
        • comment php is signed with Red Hat redhatrelease2 key
          oval oval:com.redhat.rhsa:tst:20110195006
      • AND
        • comment php-bcmath is earlier than 0:5.3.3-48.el6_8
          oval oval:com.redhat.rhsa:tst:20161609037
        • comment php-bcmath is signed with Red Hat redhatrelease2 key
          oval oval:com.redhat.rhsa:tst:20110195048
      • AND
        • comment php-cli is earlier than 0:5.3.3-48.el6_8
          oval oval:com.redhat.rhsa:tst:20161609023
        • comment php-cli is signed with Red Hat redhatrelease2 key
          oval oval:com.redhat.rhsa:tst:20110195044
      • AND
        • comment php-common is earlier than 0:5.3.3-48.el6_8
          oval oval:com.redhat.rhsa:tst:20161609017
        • comment php-common is signed with Red Hat redhatrelease2 key
          oval oval:com.redhat.rhsa:tst:20110195010
      • AND
        • comment php-dba is earlier than 0:5.3.3-48.el6_8
          oval oval:com.redhat.rhsa:tst:20161609055
        • comment php-dba is signed with Red Hat redhatrelease2 key
          oval oval:com.redhat.rhsa:tst:20110195054
      • AND
        • comment php-devel is earlier than 0:5.3.3-48.el6_8
          oval oval:com.redhat.rhsa:tst:20161609013
        • comment php-devel is signed with Red Hat redhatrelease2 key
          oval oval:com.redhat.rhsa:tst:20110195032
      • AND
        • comment php-embedded is earlier than 0:5.3.3-48.el6_8
          oval oval:com.redhat.rhsa:tst:20161609045
        • comment php-embedded is signed with Red Hat redhatrelease2 key
          oval oval:com.redhat.rhsa:tst:20110195038
      • AND
        • comment php-enchant is earlier than 0:5.3.3-48.el6_8
          oval oval:com.redhat.rhsa:tst:20161609029
        • comment php-enchant is signed with Red Hat redhatrelease2 key
          oval oval:com.redhat.rhsa:tst:20110195026
      • AND
        • comment php-fpm is earlier than 0:5.3.3-48.el6_8
          oval oval:com.redhat.rhsa:tst:20161609041
        • comment php-fpm is signed with Red Hat redhatrelease2 key
          oval oval:com.redhat.rhsa:tst:20130514036
      • AND
        • comment php-gd is earlier than 0:5.3.3-48.el6_8
          oval oval:com.redhat.rhsa:tst:20161609043
        • comment php-gd is signed with Red Hat redhatrelease2 key
          oval oval:com.redhat.rhsa:tst:20110195056
      • AND
        • comment php-imap is earlier than 0:5.3.3-48.el6_8
          oval oval:com.redhat.rhsa:tst:20161609033
        • comment php-imap is signed with Red Hat redhatrelease2 key
          oval oval:com.redhat.rhsa:tst:20110195040
      • AND
        • comment php-intl is earlier than 0:5.3.3-48.el6_8
          oval oval:com.redhat.rhsa:tst:20161609039
        • comment php-intl is signed with Red Hat redhatrelease2 key
          oval oval:com.redhat.rhsa:tst:20110195030
      • AND
        • comment php-ldap is earlier than 0:5.3.3-48.el6_8
          oval oval:com.redhat.rhsa:tst:20161609005
        • comment php-ldap is signed with Red Hat redhatrelease2 key
          oval oval:com.redhat.rhsa:tst:20110195046
      • AND
        • comment php-mbstring is earlier than 0:5.3.3-48.el6_8
          oval oval:com.redhat.rhsa:tst:20161609035
        • comment php-mbstring is signed with Red Hat redhatrelease2 key
          oval oval:com.redhat.rhsa:tst:20110195042
      • AND
        • comment php-mysql is earlier than 0:5.3.3-48.el6_8
          oval oval:com.redhat.rhsa:tst:20161609007
        • comment php-mysql is signed with Red Hat redhatrelease2 key
          oval oval:com.redhat.rhsa:tst:20110195008
      • AND
        • comment php-odbc is earlier than 0:5.3.3-48.el6_8
          oval oval:com.redhat.rhsa:tst:20161609011
        • comment php-odbc is signed with Red Hat redhatrelease2 key
          oval oval:com.redhat.rhsa:tst:20110195020
      • AND
        • comment php-pdo is earlier than 0:5.3.3-48.el6_8
          oval oval:com.redhat.rhsa:tst:20161609027
        • comment php-pdo is signed with Red Hat redhatrelease2 key
          oval oval:com.redhat.rhsa:tst:20110195018
      • AND
        • comment php-pgsql is earlier than 0:5.3.3-48.el6_8
          oval oval:com.redhat.rhsa:tst:20161609031
        • comment php-pgsql is signed with Red Hat redhatrelease2 key
          oval oval:com.redhat.rhsa:tst:20110195014
      • AND
        • comment php-process is earlier than 0:5.3.3-48.el6_8
          oval oval:com.redhat.rhsa:tst:20161609047
        • comment php-process is signed with Red Hat redhatrelease2 key
          oval oval:com.redhat.rhsa:tst:20110195016
      • AND
        • comment php-pspell is earlier than 0:5.3.3-48.el6_8
          oval oval:com.redhat.rhsa:tst:20161609049
        • comment php-pspell is signed with Red Hat redhatrelease2 key
          oval oval:com.redhat.rhsa:tst:20110195028
      • AND
        • comment php-recode is earlier than 0:5.3.3-48.el6_8
          oval oval:com.redhat.rhsa:tst:20161609009
        • comment php-recode is signed with Red Hat redhatrelease2 key
          oval oval:com.redhat.rhsa:tst:20110195050
      • AND
        • comment php-snmp is earlier than 0:5.3.3-48.el6_8
          oval oval:com.redhat.rhsa:tst:20161609051
        • comment php-snmp is signed with Red Hat redhatrelease2 key
          oval oval:com.redhat.rhsa:tst:20110195036
      • AND
        • comment php-soap is earlier than 0:5.3.3-48.el6_8
          oval oval:com.redhat.rhsa:tst:20161609025
        • comment php-soap is signed with Red Hat redhatrelease2 key
          oval oval:com.redhat.rhsa:tst:20110195024
      • AND
        • comment php-tidy is earlier than 0:5.3.3-48.el6_8
          oval oval:com.redhat.rhsa:tst:20161609053
        • comment php-tidy is signed with Red Hat redhatrelease2 key
          oval oval:com.redhat.rhsa:tst:20110195012
      • AND
        • comment php-xml is earlier than 0:5.3.3-48.el6_8
          oval oval:com.redhat.rhsa:tst:20161609057
        • comment php-xml is signed with Red Hat redhatrelease2 key
          oval oval:com.redhat.rhsa:tst:20110195022
      • AND
        • comment php-xmlrpc is earlier than 0:5.3.3-48.el6_8
          oval oval:com.redhat.rhsa:tst:20161609021
        • comment php-xmlrpc is signed with Red Hat redhatrelease2 key
          oval oval:com.redhat.rhsa:tst:20110195052
      • AND
        • comment php-zts is earlier than 0:5.3.3-48.el6_8
          oval oval:com.redhat.rhsa:tst:20161609019
        • comment php-zts is signed with Red Hat redhatrelease2 key
          oval oval:com.redhat.rhsa:tst:20110195034
    rhsa
    id RHSA-2016:1609
    released 2016-08-11
    severity Moderate
    title RHSA-2016:1609: php security update (Moderate)
  • bugzilla
    id 1353794
    title CVE-2016-5385 PHP: sets environmental variable based on user supplied Proxy request header
    oval
    AND
    • OR
      • comment Red Hat Enterprise Linux 7 Client is installed
        oval oval:com.redhat.rhsa:tst:20140675001
      • comment Red Hat Enterprise Linux 7 Server is installed
        oval oval:com.redhat.rhsa:tst:20140675002
      • comment Red Hat Enterprise Linux 7 Workstation is installed
        oval oval:com.redhat.rhsa:tst:20140675003
      • comment Red Hat Enterprise Linux 7 ComputeNode is installed
        oval oval:com.redhat.rhsa:tst:20140675004
    • OR
      • AND
        • comment php is earlier than 0:5.4.16-36.3.el7_2
          oval oval:com.redhat.rhsa:tst:20161613029
        • comment php is signed with Red Hat redhatrelease2 key
          oval oval:com.redhat.rhsa:tst:20110195006
      • AND
        • comment php-bcmath is earlier than 0:5.4.16-36.3.el7_2
          oval oval:com.redhat.rhsa:tst:20161613027
        • comment php-bcmath is signed with Red Hat redhatrelease2 key
          oval oval:com.redhat.rhsa:tst:20110195048
      • AND
        • comment php-cli is earlier than 0:5.4.16-36.3.el7_2
          oval oval:com.redhat.rhsa:tst:20161613043
        • comment php-cli is signed with Red Hat redhatrelease2 key
          oval oval:com.redhat.rhsa:tst:20110195044
      • AND
        • comment php-common is earlier than 0:5.4.16-36.3.el7_2
          oval oval:com.redhat.rhsa:tst:20161613021
        • comment php-common is signed with Red Hat redhatrelease2 key
          oval oval:com.redhat.rhsa:tst:20110195010
      • AND
        • comment php-dba is earlier than 0:5.4.16-36.3.el7_2
          oval oval:com.redhat.rhsa:tst:20161613015
        • comment php-dba is signed with Red Hat redhatrelease2 key
          oval oval:com.redhat.rhsa:tst:20110195054
      • AND
        • comment php-devel is earlier than 0:5.4.16-36.3.el7_2
          oval oval:com.redhat.rhsa:tst:20161613035
        • comment php-devel is signed with Red Hat redhatrelease2 key
          oval oval:com.redhat.rhsa:tst:20110195032
      • AND
        • comment php-embedded is earlier than 0:5.4.16-36.3.el7_2
          oval oval:com.redhat.rhsa:tst:20161613017
        • comment php-embedded is signed with Red Hat redhatrelease2 key
          oval oval:com.redhat.rhsa:tst:20110195038
      • AND
        • comment php-enchant is earlier than 0:5.4.16-36.3.el7_2
          oval oval:com.redhat.rhsa:tst:20161613013
        • comment php-enchant is signed with Red Hat redhatrelease2 key
          oval oval:com.redhat.rhsa:tst:20110195026
      • AND
        • comment php-fpm is earlier than 0:5.4.16-36.3.el7_2
          oval oval:com.redhat.rhsa:tst:20161613039
        • comment php-fpm is signed with Red Hat redhatrelease2 key
          oval oval:com.redhat.rhsa:tst:20130514036
      • AND
        • comment php-gd is earlier than 0:5.4.16-36.3.el7_2
          oval oval:com.redhat.rhsa:tst:20161613009
        • comment php-gd is signed with Red Hat redhatrelease2 key
          oval oval:com.redhat.rhsa:tst:20110195056
      • AND
        • comment php-intl is earlier than 0:5.4.16-36.3.el7_2
          oval oval:com.redhat.rhsa:tst:20161613041
        • comment php-intl is signed with Red Hat redhatrelease2 key
          oval oval:com.redhat.rhsa:tst:20110195030
      • AND
        • comment php-ldap is earlier than 0:5.4.16-36.3.el7_2
          oval oval:com.redhat.rhsa:tst:20161613019
        • comment php-ldap is signed with Red Hat redhatrelease2 key
          oval oval:com.redhat.rhsa:tst:20110195046
      • AND
        • comment php-mbstring is earlier than 0:5.4.16-36.3.el7_2
          oval oval:com.redhat.rhsa:tst:20161613047
        • comment php-mbstring is signed with Red Hat redhatrelease2 key
          oval oval:com.redhat.rhsa:tst:20110195042
      • AND
        • comment php-mysql is earlier than 0:5.4.16-36.3.el7_2
          oval oval:com.redhat.rhsa:tst:20161613037
        • comment php-mysql is signed with Red Hat redhatrelease2 key
          oval oval:com.redhat.rhsa:tst:20110195008
      • AND
        • comment php-mysqlnd is earlier than 0:5.4.16-36.3.el7_2
          oval oval:com.redhat.rhsa:tst:20161613051
        • comment php-mysqlnd is signed with Red Hat redhatrelease2 key
          oval oval:com.redhat.rhsa:tst:20141013028
      • AND
        • comment php-odbc is earlier than 0:5.4.16-36.3.el7_2
          oval oval:com.redhat.rhsa:tst:20161613011
        • comment php-odbc is signed with Red Hat redhatrelease2 key
          oval oval:com.redhat.rhsa:tst:20110195020
      • AND
        • comment php-pdo is earlier than 0:5.4.16-36.3.el7_2
          oval oval:com.redhat.rhsa:tst:20161613025
        • comment php-pdo is signed with Red Hat redhatrelease2 key
          oval oval:com.redhat.rhsa:tst:20110195018
      • AND
        • comment php-pgsql is earlier than 0:5.4.16-36.3.el7_2
          oval oval:com.redhat.rhsa:tst:20161613033
        • comment php-pgsql is signed with Red Hat redhatrelease2 key
          oval oval:com.redhat.rhsa:tst:20110195014
      • AND
        • comment php-process is earlier than 0:5.4.16-36.3.el7_2
          oval oval:com.redhat.rhsa:tst:20161613049
        • comment php-process is signed with Red Hat redhatrelease2 key
          oval oval:com.redhat.rhsa:tst:20110195016
      • AND
        • comment php-pspell is earlier than 0:5.4.16-36.3.el7_2
          oval oval:com.redhat.rhsa:tst:20161613005
        • comment php-pspell is signed with Red Hat redhatrelease2 key
          oval oval:com.redhat.rhsa:tst:20110195028
      • AND
        • comment php-recode is earlier than 0:5.4.16-36.3.el7_2
          oval oval:com.redhat.rhsa:tst:20161613031
        • comment php-recode is signed with Red Hat redhatrelease2 key
          oval oval:com.redhat.rhsa:tst:20110195050
      • AND
        • comment php-snmp is earlier than 0:5.4.16-36.3.el7_2
          oval oval:com.redhat.rhsa:tst:20161613053
        • comment php-snmp is signed with Red Hat redhatrelease2 key
          oval oval:com.redhat.rhsa:tst:20110195036
      • AND
        • comment php-soap is earlier than 0:5.4.16-36.3.el7_2
          oval oval:com.redhat.rhsa:tst:20161613023
        • comment php-soap is signed with Red Hat redhatrelease2 key
          oval oval:com.redhat.rhsa:tst:20110195024
      • AND
        • comment php-xml is earlier than 0:5.4.16-36.3.el7_2
          oval oval:com.redhat.rhsa:tst:20161613045
        • comment php-xml is signed with Red Hat redhatrelease2 key
          oval oval:com.redhat.rhsa:tst:20110195022
      • AND
        • comment php-xmlrpc is earlier than 0:5.4.16-36.3.el7_2
          oval oval:com.redhat.rhsa:tst:20161613007
        • comment php-xmlrpc is signed with Red Hat redhatrelease2 key
          oval oval:com.redhat.rhsa:tst:20110195052
    rhsa
    id RHSA-2016:1613
    released 2016-08-11
    severity Moderate
    title RHSA-2016:1613: php security and bug fix update (Moderate)
  • rhsa
    id RHSA-2016:1610
  • rhsa
    id RHSA-2016:1611
  • rhsa
    id RHSA-2016:1612
rpms
  • php-0:5.3.3-48.el6_8
  • php-bcmath-0:5.3.3-48.el6_8
  • php-cli-0:5.3.3-48.el6_8
  • php-common-0:5.3.3-48.el6_8
  • php-dba-0:5.3.3-48.el6_8
  • php-devel-0:5.3.3-48.el6_8
  • php-embedded-0:5.3.3-48.el6_8
  • php-enchant-0:5.3.3-48.el6_8
  • php-fpm-0:5.3.3-48.el6_8
  • php-gd-0:5.3.3-48.el6_8
  • php-imap-0:5.3.3-48.el6_8
  • php-intl-0:5.3.3-48.el6_8
  • php-ldap-0:5.3.3-48.el6_8
  • php-mbstring-0:5.3.3-48.el6_8
  • php-mysql-0:5.3.3-48.el6_8
  • php-odbc-0:5.3.3-48.el6_8
  • php-pdo-0:5.3.3-48.el6_8
  • php-pgsql-0:5.3.3-48.el6_8
  • php-process-0:5.3.3-48.el6_8
  • php-pspell-0:5.3.3-48.el6_8
  • php-recode-0:5.3.3-48.el6_8
  • php-snmp-0:5.3.3-48.el6_8
  • php-soap-0:5.3.3-48.el6_8
  • php-tidy-0:5.3.3-48.el6_8
  • php-xml-0:5.3.3-48.el6_8
  • php-xmlrpc-0:5.3.3-48.el6_8
  • php-zts-0:5.3.3-48.el6_8
  • php-0:5.4.16-36.3.el7_2
  • php-bcmath-0:5.4.16-36.3.el7_2
  • php-cli-0:5.4.16-36.3.el7_2
  • php-common-0:5.4.16-36.3.el7_2
  • php-dba-0:5.4.16-36.3.el7_2
  • php-devel-0:5.4.16-36.3.el7_2
  • php-embedded-0:5.4.16-36.3.el7_2
  • php-enchant-0:5.4.16-36.3.el7_2
  • php-fpm-0:5.4.16-36.3.el7_2
  • php-gd-0:5.4.16-36.3.el7_2
  • php-intl-0:5.4.16-36.3.el7_2
  • php-ldap-0:5.4.16-36.3.el7_2
  • php-mbstring-0:5.4.16-36.3.el7_2
  • php-mysql-0:5.4.16-36.3.el7_2
  • php-mysqlnd-0:5.4.16-36.3.el7_2
  • php-odbc-0:5.4.16-36.3.el7_2
  • php-pdo-0:5.4.16-36.3.el7_2
  • php-pgsql-0:5.4.16-36.3.el7_2
  • php-process-0:5.4.16-36.3.el7_2
  • php-pspell-0:5.4.16-36.3.el7_2
  • php-recode-0:5.4.16-36.3.el7_2
  • php-snmp-0:5.4.16-36.3.el7_2
  • php-soap-0:5.4.16-36.3.el7_2
  • php-xml-0:5.4.16-36.3.el7_2
  • php-xmlrpc-0:5.4.16-36.3.el7_2
refmap via4
bid 91821
cert-vn VU#797896
confirm
debian DSA-3631
fedora
  • FEDORA-2016-4e7db3d437
  • FEDORA-2016-8eb11666aa
  • FEDORA-2016-9c8cf5912c
gentoo GLSA-201611-22
misc https://httpoxy.org/
sectrack 1036335
suse openSUSE-SU-2016:1922
Last major update 20-03-2017 - 21:59
Published 18-07-2016 - 22:00
Last modified 04-03-2019 - 09:47
Back to Top