PHP HTTP_PROXY environment variable Security Vulnerability (CVE-2016-5385)

PHP HTTP_PROXY environment variable Security Vulnerability (CVE-2016-5385)
PHP HTTP_PROXY environment variable Security Vulnerability (CVE-2016-5385)

Release date:
Updated on:

Affected Systems:

PHP <7.0.8

Description:

CVE (CAN) ID: CVE-2016-5385

PHP is a widely used scripting language. It is especially suitable for Web development and can be embedded into HTML.

In PHP <7.0.8 and RFC 3875 section 4.1.18, a namespace conflict exists. The HTTP_PROXY environment variable fails to filter the constructed client data. Remote attackers can construct the Proxy header of an HTTP request to redirect the HTTP data stream of an application to any Proxy server.

<* Source: Kurt Seifried (kurt@seifried.org)
*>

Suggestion:

Vendor patch:

PHP
---
The vendor has released a patch to fix this security problem. Please download it from the vendor's homepage:

Http://www.php.net/downloads.php

Refer:
Https://httpoxy.org/
Http://www.kb.cert.org/vuls/id/797896
Https://bugzilla.redhat.com/show_bug.cgi? Id = 1353794

Compile and install Apache2.4 and PHP7 in Ubuntu 16.04

Install a Web Server on Ubuntu Server 14.04 (Linux + Apache + MySQL + PHP)

Install and configure the PHP environment in Linux (Apache2)

Compile and install LAMP in CentOS 5.9 (Apache 2.2.44 + MySQL 5.6.10 + PHP 5.4.12)

This article permanently updates the link address: