It was discovered that PHP did not properly protect against the HTTP_PROXY variable name clash. A remote attacker could possibly use this flaw to redirect HTTP requests performed by a PHP script to an attacker-controlled proxy via a malicious HTTP request.

References

bugzilla.redhat.com/show_bug.cgi?id=1353794

nessus 34

friendsofphp 2

fedora 6

oraclelinux 3

openvas 21

github 1

typo3 4

prion 2

centos 2

ibm 8

redhat 5

veracode 1

gitlab 1

osv 2

archlinux 1

ubuntucve 1

debiancve 1

f5 1

cve 2

slackware 1

cloudfoundry 2

checkpoint_advisories 1

cert 1

threatpost 1

impervablog 1

debian 2

amazon 1

freebsd 1

ubuntu 1

gentoo 1

kitploit 1

rosalinux 1

oracle 2

nessus

RHEL 7 : php (RHSA-2016:1613) (httpoxy)

2016-08-12 00:00:00

Fedora 24 : php-guzzlehttp-guzzle (2016-aef8a45afe) (httpoxy)

2016-07-29 00:00:00

CentOS 6 : php (CESA-2016:1609) (httpoxy)

2016-08-12 00:00:00

friendsofphp

HTTP Proxy header vulnerability

2018-02-12 19:47:17

HTTP Proxy header vulnerability

2016-07-18 20:27:36

fedora

[SECURITY] Fedora 23 Update: php-guzzlehttp-guzzle6-6.2.1-1.fc23

2016-07-29 02:55:08

[SECURITY] Fedora 23 Update: php-guzzlehttp-guzzle-5.3.1-1.fc23

2016-07-29 02:55:03

[SECURITY] Fedora 24 Update: php-guzzlehttp-guzzle6-6.2.1-1.fc24

2016-07-29 00:00:06

oraclelinux

php security update

2016-08-11 00:00:00

php security and bug fix update

2016-08-11 00:00:00

php security and bug fix update

2016-11-09 00:00:00

openvas

RedHat Update for php RHSA-2016:1613-01

2016-08-12 00:00:00

Fedora Update for php FEDORA-2016-8eb11666aa

2016-08-04 00:00:00

Fedora Update for php-guzzlehttp-guzzle FEDORA-2016-e2c8f5f95a

2016-08-04 00:00:00

github

HTTP Proxy header vulnerability

2022-04-07 13:59:22

typo3

Environment Variable Injection in extension "AWS SDK for PHP" (aws_sdk_php)

2018-08-09 00:00:00

Environment Variable Injection

2016-07-19 00:00:00

Environment Variable Injection in extension "Amazon AWS S3 FAL driver (CDN)" (aus_driver_amazon_s3)

2018-08-09 00:00:00

prion

Design/Logic Flaw

2016-07-19 02:00:00

Design/Logic Flaw

2016-10-06 14:59:00

centos

php security update

2016-08-12 11:27:56

php security update

2016-08-11 21:20:11

ibm

Security Bulletin: A vulnerability in PHP affects PowerKVM (CVE-2016-5385)

2018-06-18 01:33:23

Security Bulletin: Multiple vulnerabilities affecting web servers that run code in a CGI or CGI-like context affects IBM API Connect (CVE-2016-5385, CVE-2016-1000105)

2018-06-15 07:06:31

Security Bulletin: IBM QRadar SIEM is vulnerable to various CGI vulnerabilities. (CVE-2016-5385, CVE-2016-5387, CVE-2016-5388)

2018-06-16 21:48:14

redhat

(RHSA-2016:1610) Moderate: php54-php security update

2016-08-11 19:51:58

(RHSA-2016:1609) Moderate: php security update

2016-08-11 19:51:34

(RHSA-2016:1613) Moderate: php security and bug fix update

2016-08-11 20:10:37

veracode

Open Redirection

2019-01-15 09:12:46

gitlab

HTTP Proxy header vulnerability

2016-07-18 00:00:00

osv

HTTP Proxy header vulnerability

2022-04-07 13:59:22

php5 - security update

2016-12-16 00:00:00

archlinux

drupal: proxy injection

2016-07-21 00:00:00

ubuntucve

CVE-2016-5385

2016-07-18 00:00:00

debiancve

CVE-2016-5385

2016-07-19 02:00:00

K73071205 : PHP vulnerability CVE-2016-5385

2016-07-26 00:00:00

cve

CVE-2016-5385

2016-07-19 02:00:00

CVE-2016-1000100

2016-10-06 14:59:00

slackware

[slackware-security] php

2016-07-21 23:38:17

cloudfoundry

Multiple CVEs: httpoxy | Cloud Foundry

2016-12-21 00:00:00

USN-3045-1 PHP vulnerabilities | Cloud Foundry

2016-09-09 00:00:00

checkpoint_advisories

CGI Namespace Conflict Man-In-The-Middle (httpoxy; CVE-2016-1000109; CVE-2016-1000110; CVE-2016-5385; CVE-2016-5386; CVE-2016-5387; CVE-2016-5388)

2016-07-19 00:00:00

cert

CGI web servers assign Proxy header values from client requests to internal HTTP_PROXY environment variables

2016-07-18 00:00:00

threatpost

CGI Script Vulnerability 'Httpoxy' Allows Man-in-the-Middle Attack

2016-07-18 18:00:46

impervablog

Python and Go Top the Chart of 2019’s Most Popular Hacking Tools

2020-05-27 09:22:21

debian

[SECURITY] [DSA 3631-1] php5 security update

2016-07-26 20:46:29

[SECURITY] [DLA 749-1] php5 security update

2016-12-16 21:48:18

amazon

Medium: php55, php56

2016-08-01 13:30:00

freebsd

php -- multiple vulnerabilities

2016-07-21 00:00:00

ubuntu

PHP vulnerabilities

2016-08-02 00:00:00

gentoo

PHP: Multiple vulnerabilities

2016-11-30 00:00:00

kitploit

Trivy - A Simple And Comprehensive Vulnerability Scanner For Containers, Suitable For CI

2019-11-05 12:00:00

rosalinux

Advisory ROSA-SA-2021-1950

2021-07-02 17:57:45

oracle

Oracle Critical Patch Update - January 2018

2018-01-16 00:00:00

Oracle Critical Patch Update Advisory - July 2017

2018-03-20 00:00:00

Products

Security Intelligence
Non-intrusive assessment
Developers SDK
Windows scanner
Linux scanner
Perimeter control tool
MSSP

Database

Vulnerabilities
Exploits
IOC
Security News
BugBounty
Popular
Wild Exploited
Top Vulnerabilities

Tools

Linux Security Scanner
API integration
Subscriptions
Plugins
Manual Audit

Learn More

Stats
API
Docs
Api-keys
License
Pricing
Glossary
FAQ

Company

Blog
Contacts
About Us
OpenSource
EULA
Brand Guideline
Privacy Policy

This site is protected by reCAPTCHA and the Google Privacy Policy and Terms of Service apply. All product names, logos, and brands are property of their respective owners. All company, product and service names used in this website are for identification purposes only. Use of these names, logos, and brands does not imply endorsement.If you are an owner of some content and want it to be removed, please contact us. Using Vulners services you are accepting Vulners services end-user license agreement

@2024 Vulners Inc

8.1 High

CVSS3

Attack Vector

NETWORK

Attack Complexity

HIGH

Privileges Required

NONE

User Interaction

NONE

Scope

UNCHANGED

Confidentiality Impact

HIGH

Integrity Impact

HIGH

Availability Impact

HIGH

CVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H

5.1 Medium

CVSS2

Access Vector

NETWORK

Access Complexity

HIGH

Authentication

NONE

Confidentiality Impact

PARTIAL

Integrity Impact

PARTIAL

Availability Impact

PARTIAL

AV:N/AC:H/Au:N/C:P/I:P/A:P

JSON

Related for RH:CVE-2016-5385