{"id":"CVE-2016-5385","details":"PHP through 7.0.8 does not attempt to address RFC 3875 section 4.1.18 namespace conflicts and therefore does not protect applications from the presence of untrusted client data in the HTTP_PROXY environment variable, which might allow remote attackers to redirect an application's outbound HTTP traffic to an arbitrary proxy server via a crafted Proxy header in an HTTP request, as demonstrated by (1) an application that makes a getenv('HTTP_PROXY') call or (2) a CGI configuration of PHP, aka an \"httpoxy\" issue.","aliases":["GHSA-m6ch-gg5f-wxx3"],"modified":"2026-02-24T01:10:11.813675Z","published":"2016-07-19T02:00:17.773Z","related":["SUSE-SU-2016:1842-1","SUSE-SU-2016:2941-1","openSUSE-SU-2024:11175-1"],"references":[{"type":"WEB","url":"http://www.kb.cert.org/vuls/id/797896"},{"type":"WEB","url":"https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/7RMYXAVNYL2MOBJTFATE73TOVOEZYC5R/"},{"type":"WEB","url":"https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/GXFEIMZPSVGZQQAYIQ7U7DFVX3IBSDLF/"},{"type":"WEB","url":"https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/KZOIUYZDBWNDDHC6XTOLZYRMRXZWTJCP/"},{"type":"ADVISORY","url":"http://lists.opensuse.org/opensuse-updates/2016-08/msg00003.html"},{"type":"ADVISORY","url":"http://rhn.redhat.com/errata/RHSA-2016-1609.html"},{"type":"ADVISORY","url":"http://rhn.redhat.com/errata/RHSA-2016-1610.html"},{"type":"ADVISORY","url":"http://rhn.redhat.com/errata/RHSA-2016-1611.html"},{"type":"ADVISORY","url":"http://rhn.redhat.com/errata/RHSA-2016-1612.html"},{"type":"ADVISORY","url":"http://rhn.redhat.com/errata/RHSA-2016-1613.html"},{"type":"ADVISORY","url":"http://www.debian.org/security/2016/dsa-3631"},{"type":"ADVISORY","url":"http://www.kb.cert.org/vuls/id/797896"},{"type":"ADVISORY","url":"http://www.oracle.com/technetwork/security-advisory/cpujan2018-3236628.html"},{"type":"ADVISORY","url":"http://www.oracle.com/technetwork/security-advisory/cpujul2017-3236622.html"},{"type":"ADVISORY","url":"http://www.oracle.com/technetwork/topics/security/linuxbulletinjul2016-3090544.html"},{"type":"ADVISORY","url":"http://www.securityfocus.com/bid/91821"},{"type":"ADVISORY","url":"http://www.securitytracker.com/id/1036335"},{"type":"ADVISORY","url":"https://bugzilla.redhat.com/show_bug.cgi?id=1353794"},{"type":"ADVISORY","url":"https://github.com/guzzle/guzzle/releases/tag/6.2.1"},{"type":"ADVISORY","url":"https://h20566.www2.hpe.com/hpsc/doc/public/display?docLocale=en_US&docId=emr_na-hpesbhf03770en_us"},{"type":"ADVISORY","url":"https://h20566.www2.hpe.com/portal/site/hpsc/public/kb/docDisplay?docId=emr_na-c05320149"},{"type":"ADVISORY","url":"https://h20566.www2.hpe.com/portal/site/hpsc/public/kb/docDisplay?docId=emr_na-c05333297"},{"type":"ADVISORY","url":"https://h20566.www2.hpe.com/portal/site/hpsc/public/kb/docDisplay?docId=emr_na-c05390722"},{"type":"ADVISORY","url":"https://httpoxy.org/"},{"type":"ADVISORY","url":"https://security.gentoo.org/glsa/201611-22"},{"type":"ADVISORY","url":"https://www.drupal.org/SA-CORE-2016-003"},{"type":"REPORT","url":"https://bugzilla.redhat.com/show_bug.cgi?id=1353794"},{"type":"FIX","url":"http://www.oracle.com/technetwork/security-advisory/cpujan2018-3236628.html"},{"type":"FIX","url":"http://www.oracle.com/technetwork/security-advisory/cpujul2017-3236622.html"}],"affected":[{"ranges":[{"type":"GIT","repo":"https://github.com/drupal/drupal","events":[{"introduced":"ca30166e37ed78e1f9920dc42a82396d98d2a3f4"},{"fixed":"5e60a2770329300866319aac1ab465159688d319"}]}],"database_specific":{"source":"https://storage.googleapis.com/osv-test-cve-osv-conversion/osv-output/CVE-2016-5385.json"}},{"ranges":[{"type":"GIT","repo":"https://github.com/guzzle/guzzle","events":[{"introduced":"0"},{"fixed":"3f808fba627f2c5b69e2501217bf31af349c1427"}]}],"versions":["4.0.0","4.0.0-rc.1","4.0.0-rc.2","4.0.1","4.0.2","4.1.0","4.1.1","4.1.2","4.1.3","4.1.4","4.1.5","4.1.6","4.1.7","4.1.8","4.2.0","4.2.1","4.2.2","4.2.3","5.0.0","5.0.1","5.0.2","5.0.3","5.1.0","5.2.0","5.3.0","6.0.0","6.0.1","6.0.2","6.1.0","6.1.1","6.2.0","v1.0.0","v1.0.0beta1","v1.0.1","v1.0.2","v1.0.3","v1.0.4","v2.0.0","v2.0.1","v2.0.2","v2.0.3","v2.0.4","v2.0.5","v2.1.0","v2.1.1","v2.1.2","v2.1.3","v2.1.4","v2.2.0","v2.2.1","v2.2.2","v2.2.3","v2.2.4","v2.3.0","v2.3.1","v2.3.2","v2.4.0","v2.4.1","v2.5.0","v2.6.0","v2.6.1","v2.6.2","v2.6.3","v2.6.4","v2.6.5","v2.6.6","v2.7.0","v2.7.1","v2.7.2","v2.8.0","v2.8.1","v2.8.2","v2.8.3","v2.8.4","v2.8.5","v2.8.6","v2.8.7","v2.8.8","v3.0.0","v3.0.1","v3.0.2","v3.0.3","v3.0.4","v3.0.5","v3.0.6","v3.0.7","v3.1.0","v3.1.1","v3.1.2","v3.2.0","v3.3.0","v3.3.1","v3.4.0","v3.4.1","v3.4.2","v3.4.3","v3.5.0","v3.6.0","v3.7.0","v3.7.1","v3.7.2","v3.7.3","v3.7.4","v3.8.0","v3.8.1"],"database_specific":{"source":"https://storage.googleapis.com/osv-test-cve-osv-conversion/osv-output/CVE-2016-5385.json"}},{"ranges":[{"type":"GIT","repo":"https://github.com/php/php-src","events":[{"introduced":"54356fd888f58524342f8e1aa2cf03dccf131701"},{"fixed":"bcd100d812b525c982cf75d6c6dabe839f61634a"},{"introduced":"5dc92c2117cafc61daaaaa240fd46c3ac33872a4"},{"fixed":"929267357d6bad747b1ef62d2d2667a1b638f225"},{"introduced":"cd4973d4acae08e6636843b8e706547b33658693"},{"fixed":"bcb96821bdb56d92e523a099a7079d141a853252"}]}],"database_specific":{"source":"https://storage.googleapis.com/osv-test-cve-osv-conversion/osv-output/CVE-2016-5385.json"}}],"schema_version":"1.7.3","severity":[{"type":"CVSS_V3","score":"CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H"}]}