PHP 7.0.8 Remote Code Execution Vulnerability


PHP is prone to a remote code-execution vulnerability.This allows a remote attacker to exploit this issue to execute arbitrary code in the context of the user running the affected application. Failed exploit attempts may result in a denial-of-service condition.


The original article can be found at:


Vulnerable Systems:
 * PHP 7.0.8

PHP through 7.0.8 does not attempt to address RFC 3875 section 4.1.18 namespace conflicts and therefore does not protect applications from the presence of untrusted client data in the HTTP_PROXY environment variable, which might allow remote attackers to redirect an application’s outbound HTTP traffic to an arbitrary proxy server via a crafted Proxy header in an HTTP request, as demonstrated by (1) an application that makes a getenv(‘HTTP_PROXY’) call or (2) a CGI configuration of PHP, aka an ‘httpoxy’ issue.

CVE Information:

Disclosure Timeline:
Publish Date : 2016-07-18
Last Update Date : 2016-07-19

Categories: News