PHP up to 7.0.8 RFC 3875 Namespace Conflict HTTP_PROXY access control
| CVSS Meta Temp Score | Current Exploit Price (≈) | CTI Interest Score |
|---|---|---|
| 8.1 | $5k-$25k | 0.00 |
Summary
A vulnerability marked as critical has been reported in PHP up to 7.0.8. The affected element is an unknown function of the component RFC 3875 Namespace Conflict Handler. Performing a manipulation of the argument HTTP_PROXY as part of Environment Variable results in access control. This vulnerability is reported as CVE-2016-5385. The attack is possible to be carried out remotely. No exploit exists.
Details
A vulnerability classified as critical has been found in PHP up to 7.0.8 (Programming Language Software). This affects an unknown code of the component RFC 3875 Namespace Conflict Handler. The manipulation of the argument HTTP_PROXY as part of a Environment Variable leads to a access control vulnerability. CWE is classifying the issue as CWE-284. The product does not restrict or incorrectly restricts access to a resource from an unauthorized actor. This is going to have an impact on confidentiality, integrity, and availability. The summary by CVE is:
PHP through 7.0.8 does not attempt to address RFC 3875 section 4.1.18 namespace conflicts and therefore does not protect applications from the presence of untrusted client data in the HTTP_PROXY environment variable, which might allow remote attackers to redirect an application's outbound HTTP traffic to an arbitrary proxy server via a crafted Proxy header in an HTTP request, as demonstrated by (1) an application that makes a getenv('HTTP_PROXY') call or (2) a CGI configuration of PHP, aka an "httpoxy" issue.
The bug was discovered 07/19/2016. The weakness was disclosed 07/19/2016 (Website). It is possible to read the advisory at kb.cert.org. This vulnerability is uniquely identified as CVE-2016-5385 since 06/10/2016. It is possible to initiate the attack remotely. No form of authentication is needed for exploitation. Technical details of the vulnerability are known, but there is no available exploit. The pricing for an exploit might be around USD $5k-$25k at the moment (estimation calculated on 09/05/2022). The attack technique deployed by this issue is T1068 according to MITRE ATT&CK.
The vulnerability scanner Nessus provides a plugin with the ID 900012 , which helps to determine the existence of the flaw in a target environment. The commercial vulnerability scanner Qualys is able to test this issue with plugin 168994 (SUSE Enterprise Linux Security Update for php5 (SUSE-SU-2016:1842-1)).
There is no information about possible countermeasures known. It may be suggested to replace the affected object with an alternative product. Attack attempts may be identified with Snort ID 39737.
The vulnerability is also documented in the databases at Tenable (900012) and SecurityFocus (BID 91821†). Further details are available at nginx.com. The entries VDB-68431, VDB-89668, VDB-89669 and VDB-89670 are pretty similar. Statistical analysis made it clear that VulDB provides the best quality for vulnerability data.
Affected
- Drupal
Product
Type
Name
Version
License
Website
- Product: https://www.php.org/
CPE 2.3
CPE 2.2
CVSSv4
VulDB Vector: 🔍VulDB Reliability: 🔍
CVSSv3
VulDB Meta Base Score: 8.1VulDB Meta Temp Score: 8.1
VulDB Base Score: 8.1
VulDB Temp Score: 8.1
VulDB Vector: 🔍
VulDB Reliability: 🔍
NVD Base Score: 8.1
NVD Vector: 🔍
CVSSv2
| AV | AC | Au | C | I | A |
|---|---|---|---|---|---|
| 💳 | 💳 | 💳 | 💳 | 💳 | 💳 |
| 💳 | 💳 | 💳 | 💳 | 💳 | 💳 |
| 💳 | 💳 | 💳 | 💳 | 💳 | 💳 |
| Vector | Complexity | Authentication | Confidentiality | Integrity | Availability |
|---|---|---|---|---|---|
| Unlock | Unlock | Unlock | Unlock | Unlock | Unlock |
| Unlock | Unlock | Unlock | Unlock | Unlock | Unlock |
| Unlock | Unlock | Unlock | Unlock | Unlock | Unlock |
VulDB Base Score: 🔍
VulDB Temp Score: 🔍
VulDB Reliability: 🔍
NVD Base Score: 🔍
Exploiting
Class: Access controlCWE: CWE-284 / CWE-266
CAPEC: 🔍
ATT&CK: 🔍
Physical: No
Local: No
Remote: Yes
Availability: 🔍
Status: Not defined
EPSS Score: 🔍
EPSS Percentile: 🔍
Price Prediction: 🔍
Current Price Estimation: 🔍
| 0-Day | Unlock | Unlock | Unlock | Unlock |
|---|---|---|---|---|
| Today | Unlock | Unlock | Unlock | Unlock |
Nessus ID: 900012
Nessus File: 🔍
OpenVAS ID: 900600
OpenVAS Name: Fedora Update for php-guzzlehttp-guzzle6 FEDORA-2016-4e7db3d437
OpenVAS File: 🔍
OpenVAS Family: 🔍
Qualys ID: 🔍
Qualys Name: 🔍
Threat Intelligence
Interest: 🔍Active Actors: 🔍
Active APT Groups: 🔍
Countermeasures
Recommended: no mitigation knownStatus: 🔍
Upgrade: github.com
Snort ID: 39737
Snort Message: SERVER-WEBAPP HttpOxy CGI application vulnerability potential man-in-the-middle attempt
Snort Class: 🔍
Timeline
06/10/2016 🔍07/18/2016 🔍
07/18/2016 🔍
07/19/2016 🔍
07/19/2016 🔍
07/19/2016 🔍
09/05/2022 🔍
Sources
Product: php.orgAdvisory: RHSA-2016:1609
Status: Not defined
Confirmation: 🔍
CVE: CVE-2016-5385 (🔍)
GCVE (CVE): GCVE-0-2016-5385
GCVE (VulDB): GCVE-100-89667
OVAL: 🔍
CERT: 🔍
SecurityFocus: 91821 - PHP CVE-2016-5385 Security Bypass Vulnerability
SecurityTracker: 1036335
Misc.: 🔍
See also: 🔍
Entry
Created: 07/19/2016 10:07Updated: 09/05/2022 10:27
Changes: 07/19/2016 10:07 (67), 06/13/2019 06:49 (13), 09/05/2022 10:27 (4)
Complete: 🔍
Cache ID: 216:CFF:103
Statistical analysis made it clear that VulDB provides the best quality for vulnerability data.
No comments yet. Languages: en.
Please log in to comment.