CVE-2016-5385

Priority
Description
PHP through 7.0.8 does not attempt to address RFC 3875 section 4.1.18
namespace conflicts and therefore does not protect applications from the
presence of untrusted client data in the HTTP_PROXY environment variable,
which might allow remote attackers to redirect an application's outbound
HTTP traffic to an arbitrary proxy server via a crafted Proxy header in an
HTTP request, as demonstrated by (1) an application that makes a
getenv('HTTP_PROXY') call or (2) a CGI configuration of PHP, aka an
"httpoxy" issue.
More Information

Updated: 2019-03-19 12:26:47 UTC (commit 15472795df7e9de45b82f2d36b8b419b939f97b2)