PHP 7.0.8 Remote Code Execution Vulnerability

Summary

PHP is prone to a remote code-execution vulnerability.This allows a remote attacker to exploit this issue to execute arbitrary code in the context of the user running the affected application. Failed exploit attempts may result in a denial-of-service condition.

Credit:

The original article can be found at: https://bugzilla.redhat.com/show_bug.cgi?id=1353794


Details

Vulnerable Systems:
 * PHP 7.0.8

PHP through 7.0.8 does not attempt to address RFC 3875 section 4.1.18 namespace conflicts and therefore does not protect applications from the presence of untrusted client data in the HTTP_PROXY environment variable, which might allow remote attackers to redirect an application’s outbound HTTP traffic to an arbitrary proxy server via a crafted Proxy header in an HTTP request, as demonstrated by (1) an application that makes a getenv(‘HTTP_PROXY’) call or (2) a CGI configuration of PHP, aka an ‘httpoxy’ issue.

CVE Information:
CVE-2016-5385

Disclosure Timeline:
Publish Date : 2016-07-18
Last Update Date : 2016-07-19

Categories: News