Vulnerability Details : CVE-2016-5385
PHP through 7.0.8 does not attempt to address RFC 3875 section 4.1.18 namespace conflicts and therefore does not protect applications from the presence of untrusted client data in the HTTP_PROXY environment variable, which might allow remote attackers to redirect an application's outbound HTTP traffic to an arbitrary proxy server via a crafted Proxy header in an HTTP request, as demonstrated by (1) an application that makes a getenv('HTTP_PROXY') call or (2) a CGI configuration of PHP, aka an "httpoxy" issue.
Vulnerability category: Open redirect
Threat overview for CVE-2016-5385
Top countries where our scanners detected CVE-2016-5385
Top open port discovered on systems with this issue
80
IPs affected by CVE-2016-5385 89,835
Threat actors abusing to this issue?
Yes
Find out if you* are
affected by CVE-2016-5385!
*Directly or indirectly through your vendors, service providers and 3rd parties.
Powered by
attack surface intelligence
from SecurityScorecard.
Exploit prediction scoring system (EPSS) score for CVE-2016-5385
Probability of exploitation activity in the next 30 days: 95.07%
Percentile, the proportion of vulnerabilities that are scored at or less: ~ 99 % EPSS Score History EPSS FAQ
CVSS scores for CVE-2016-5385
| Base Score | Base Severity | CVSS Vector | Exploitability Score | Impact Score | Score Source |
|---|---|---|---|---|---|
|
5.1
|
MEDIUM | AV:N/AC:H/Au:N/C:P/I:P/A:P |
4.9
|
6.4
|
NIST |
|
8.1
|
HIGH | CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H |
2.2
|
5.9
|
NIST |
CWE ids for CVE-2016-5385
-
A web application accepts a user-controlled input that specifies a link to an external site, and uses that link in a Redirect. This simplifies phishing attacks.Assigned by: nvd@nist.gov (Primary)
References for CVE-2016-5385
-
https://h20566.www2.hpe.com/portal/site/hpsc/public/kb/docDisplay?docId=emr_na-c05390722
HPSBMU03691 rev.1 - HPE Insight Control, Multiple Remote VulnerabilitiesThird Party Advisory
-
http://rhn.redhat.com/errata/RHSA-2016-1610.html
RHSA-2016:1610 - Security Advisory - Red Hat Customer PortalBroken Link;Third Party Advisory
-
http://rhn.redhat.com/errata/RHSA-2016-1613.html
RHSA-2016:1613 - Security Advisory - Red Hat Customer PortalBroken Link;Third Party Advisory
-
https://h20566.www2.hpe.com/portal/site/hpsc/public/kb/docDisplay?docId=emr_na-c05333297
HPSBST03671 rev.2 - HPE StoreEver MSL6480 Tape Library Management Interface, Multiple Remote VulnerabilitiesThird Party Advisory
-
http://www.securityfocus.com/bid/91821
PHP CVE-2016-5385 Security Bypass VulnerabilityThird Party Advisory;VDB Entry
-
http://rhn.redhat.com/errata/RHSA-2016-1612.html
RHSA-2016:1612 - Security Advisory - Red Hat Customer PortalBroken Link;Third Party Advisory
-
https://security.gentoo.org/glsa/201611-22
PHP: Multiple vulnerabilities (GLSA 201611-22) — Gentoo securityThird Party Advisory
-
http://www.oracle.com/technetwork/security-advisory/cpujan2018-3236628.html
Oracle Critical Patch Update - January 2018Patch;Third Party Advisory
-
https://github.com/guzzle/guzzle/releases/tag/6.2.1
Release 6.2.1 release · guzzle/guzzle · GitHubRelease Notes;Third Party Advisory
-
https://www.drupal.org/SA-CORE-2016-003
Drupal Core - Highly Critical - Injection - SA-CORE-2016-003 | Drupal.orgThird Party Advisory
-
https://bugzilla.redhat.com/show_bug.cgi?id=1353794
1353794 – (CVE-2016-5385) CVE-2016-5385 PHP: sets environmental variable based on user supplied Proxy request headerIssue Tracking;Third Party Advisory;VDB Entry
-
https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/KZOIUYZDBWNDDHC6XTOLZYRMRXZWTJCP/
[SECURITY] Fedora 24 Update: php-guzzlehttp-guzzle6-6.2.1-1.fc24 - package-announce - Fedora Mailing-Lists
-
http://rhn.redhat.com/errata/RHSA-2016-1609.html
RHSA-2016:1609 - Security Advisory - Red Hat Customer PortalBroken Link;Third Party Advisory
-
http://www.debian.org/security/2016/dsa-3631
Debian -- Security Information -- DSA-3631-1 php5Third Party Advisory
-
https://h20566.www2.hpe.com/portal/site/hpsc/public/kb/docDisplay?docId=emr_na-c05320149
HPSBMU03653 rev.1 - HPE System Management Homepage (SMH), Remote Arbitrary Code Execution, Cross-Site Scripting (XSS), Denial of Service (DoS), Unauthorized Disclosure of InformationThird Party Advisory
-
https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/GXFEIMZPSVGZQQAYIQ7U7DFVX3IBSDLF/
[SECURITY] Fedora 23 Update: php-guzzlehttp-guzzle6-6.2.1-1.fc23 - package-announce - Fedora Mailing-Lists
-
https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/7RMYXAVNYL2MOBJTFATE73TOVOEZYC5R/
[SECURITY] Fedora 24 Update: php-5.6.24-2.fc24 - package-announce - Fedora Mailing-Lists
-
https://httpoxy.org/
httpoxyThird Party Advisory
-
http://www.securitytracker.com/id/1036335
PHP "Proxy:" Header Processing Flaw Lets Remote Users Redirect the Target Application Requests to an Arbitrary Web Proxy in Certain Cases - SecurityTrackerThird Party Advisory;VDB Entry
-
https://h20566.www2.hpe.com/hpsc/doc/public/display?docLocale=en_US&docId=emr_na-hpesbhf03770en_us
HPESBHF03770 rev.1 - HPE Comware 7 MSR Routers using PHP, Go, Apache Http Server, and Tomcat, Remote Arbitrary Code ExecutionThird Party Advisory
-
http://www.kb.cert.org/vuls/id/797896
VU#797896 - CGI web servers assign Proxy header values from client requests to internal HTTP_PROXY environment variablesThird Party Advisory;US Government Resource
-
http://rhn.redhat.com/errata/RHSA-2016-1611.html
RHSA-2016:1611 - Security Advisory - Red Hat Customer PortalBroken Link;Third Party Advisory
-
http://www.oracle.com/technetwork/security-advisory/cpujul2017-3236622.html
Oracle Critical Patch Update - July 2017Patch;Third Party Advisory
-
http://www.oracle.com/technetwork/topics/security/linuxbulletinjul2016-3090544.html
Oracle Linux Bulletin - July 2016Third Party Advisory
-
http://lists.opensuse.org/opensuse-updates/2016-08/msg00003.html
openSUSE-SU-2016:1922-1: moderate: Security update for php5Third Party Advisory
Products affected by CVE-2016-5385
- cpe:2.3:a:hp:system_management_homepage:*:*:*:*:*:*:*:*
- cpe:2.3:o:hp:storeever_msl6480_tape_library_firmware:*:*:*:*:*:*:*:*
- cpe:2.3:o:debian:debian_linux:8.0:*:*:*:*:*:*:*
- cpe:2.3:o:redhat:enterprise_linux_desktop:6.0:*:*:*:*:*:*:*
- cpe:2.3:o:redhat:enterprise_linux_server:6.0:*:*:*:*:*:*:*
- cpe:2.3:o:redhat:enterprise_linux_workstation:6.0:*:*:*:*:*:*:*
- cpe:2.3:a:php:php:*:*:*:*:*:*:*:*
- cpe:2.3:a:php:php:*:*:*:*:*:*:*:*
- cpe:2.3:a:php:php:*:*:*:*:*:*:*:*
- cpe:2.3:o:oracle:linux:6:-:*:*:*:*:*:*
- cpe:2.3:o:oracle:linux:7:-:*:*:*:*:*:*
- cpe:2.3:a:oracle:communications_user_data_repository:10.0.1:*:*:*:*:*:*:*
- cpe:2.3:a:oracle:communications_user_data_repository:10.0.0:*:*:*:*:*:*:*
- cpe:2.3:a:oracle:communications_user_data_repository:12.0.0:*:*:*:*:*:*:*
- cpe:2.3:a:oracle:enterprise_manager_ops_center:12.2.2:*:*:*:*:*:*:*
- cpe:2.3:a:oracle:enterprise_manager_ops_center:12.3.2:*:*:*:*:*:*:*
- cpe:2.3:a:drupal:drupal:*:*:*:*:*:*:*:*
- cpe:2.3:o:fedoraproject:fedora:24:*:*:*:*:*:*:*
- cpe:2.3:o:fedoraproject:fedora:23:*:*:*:*:*:*:*
- cpe:2.3:o:opensuse:leap:42.1:*:*:*:*:*:*:*