CVE-2016-5385 in Communications BRMinfo

Summary

PHP through 7.0.8 does not attempt to address RFC 3875 section 4.1.18 namespace conflicts and therefore does not protect applications from the presence of untrusted client data in the HTTP_PROXY environment variable, which might allow remote attackers to redirect an application's outbound HTTP traffic to an arbitrary proxy server via a crafted Proxy header in an HTTP request, as demonstrated by (1) an application that makes a getenv('HTTP_PROXY') call or (2) a CGI configuration of PHP, aka an "httpoxy" issue.

If you want to get best quality of vulnerability data, you may have to visit VulDB.

Reservation

06/10/2016

Disclosure

07/18/2016

Status

Confirmed

Entries

VulDB provides additional information and datapoints for this CVE:

ID	Vulnerability	CWE	Exp	Cou	CVE
111958	Oracle Communications BRM User Data Repository access control	284	Not defined	Official fix	CVE-2016-5385
89667	PHP RFC 3875 Namespace Conflict access control	284	Not defined	Official fix	CVE-2016-5385

Description

CPE

CWE

CVSS

Exploits

History

Diff

Relate

Threat Intelligence

API JSON

API XML

API CSV

Sources

◂ PreviousOverviewNext ▸

Do you need the next level of professionalism?

Upgrade your account now!