CVE-2016-5385

Priority
Description
PHP through 7.0.8 does not attempt to address RFC 3875 section 4.1.18
namespace conflicts and therefore does not protect applications from the
presence of untrusted client data in the HTTP_PROXY environment variable,
which might allow remote attackers to redirect an application's outbound
HTTP traffic to an arbitrary proxy server via a crafted Proxy header in an
HTTP request, as demonstrated by (1) an application that makes a
getenv('HTTP_PROXY') call or (2) a CGI configuration of PHP, aka an
"httpoxy" issue.
Notes
Package
Source: php5 (LP Ubuntu Debian)
Upstream:needs-triage
Ubuntu 14.04 ESM (Trusty Tahr):released (5.5.9+dfsg-1ubuntu4.19)
Ubuntu 16.04 LTS (Xenial Xerus):DNE
Patches:
Upstream:http://git.php.net/?p=php-src.git;a=commit;h=98b9dfaec95e6f910f125ed172cdbd25abd006ec
Upstream:http://git.php.net/?p=php-src.git;a=commit;h=9ebc96116b609cd3c969c2d5a460aaa904c2afec
More Information

Updated: 2020-09-10 05:29:48 UTC (commit 81a23a978c4436cd99e1d040e9e73e9146876281)