{"id":"CVE-2016-5385","details":"PHP through 7.0.8 does not attempt to address RFC 3875 section 4.1.18 namespace conflicts and therefore does not protect applications from the presence of untrusted client data in the HTTP_PROXY environment variable, which might allow remote attackers to redirect an application's outbound HTTP traffic to an arbitrary proxy server via a crafted Proxy header in an HTTP request, as demonstrated by (1) an application that makes a getenv('HTTP_PROXY') call or (2) a CGI configuration of PHP, aka an \"httpoxy\" issue.","aliases":["GHSA-m6ch-gg5f-wxx3"],"modified":"2026-04-10T03:51:40.535731Z","published":"2016-07-19T02:00:17.773Z","related":["SUSE-SU-2016:1842-1","SUSE-SU-2016:2941-1","openSUSE-SU-2024:11175-1"],"references":[{"type":"WEB","url":"https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/GXFEIMZPSVGZQQAYIQ7U7DFVX3IBSDLF/"},{"type":"WEB","url":"https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/KZOIUYZDBWNDDHC6XTOLZYRMRXZWTJCP/"},{"type":"WEB","url":"https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/7RMYXAVNYL2MOBJTFATE73TOVOEZYC5R/"},{"type":"ADVISORY","url":"https://h20566.www2.hpe.com/portal/site/hpsc/public/kb/docDisplay?docId=emr_na-c05333297"},{"type":"ADVISORY","url":"https://httpoxy.org/"},{"type":"ADVISORY","url":"http://rhn.redhat.com/errata/RHSA-2016-1609.html"},{"type":"ADVISORY","url":"https://security.gentoo.org/glsa/201611-22"},{"type":"ADVISORY","url":"http://rhn.redhat.com/errata/RHSA-2016-1610.html"},{"type":"ADVISORY","url":"http://rhn.redhat.com/errata/RHSA-2016-1613.html"},{"type":"ADVISORY","url":"http://www.oracle.com/technetwork/topics/security/linuxbulletinjul2016-3090544.html"},{"type":"ADVISORY","url":"http://www.securityfocus.com/bid/91821"},{"type":"ADVISORY","url":"https://h20566.www2.hpe.com/hpsc/doc/public/display?docLocale=en_US&docId=emr_na-hpesbhf03770en_us"},{"type":"ADVISORY","url":"https://h20566.www2.hpe.com/portal/site/hpsc/public/kb/docDisplay?docId=emr_na-c05320149"},{"type":"ADVISORY","url":"https://www.drupal.org/SA-CORE-2016-003"},{"type":"ADVISORY","url":"http://lists.opensuse.org/opensuse-updates/2016-08/msg00003.html"},{"type":"ADVISORY","url":"http://www.kb.cert.org/vuls/id/797896"},{"type":"ADVISORY","url":"https://h20566.www2.hpe.com/portal/site/hpsc/public/kb/docDisplay?docId=emr_na-c05390722"},{"type":"ADVISORY","url":"http://rhn.redhat.com/errata/RHSA-2016-1611.html"},{"type":"ADVISORY","url":"http://rhn.redhat.com/errata/RHSA-2016-1612.html"},{"type":"ADVISORY","url":"http://www.debian.org/security/2016/dsa-3631"},{"type":"ADVISORY","url":"http://www.securitytracker.com/id/1036335"},{"type":"ADVISORY","url":"https://github.com/guzzle/guzzle/releases/tag/6.2.1"},{"type":"REPORT","url":"https://bugzilla.redhat.com/show_bug.cgi?id=1353794"},{"type":"FIX","url":"http://www.oracle.com/technetwork/security-advisory/cpujul2017-3236622.html"},{"type":"FIX","url":"http://www.oracle.com/technetwork/security-advisory/cpujan2018-3236628.html"}],"affected":[{"ranges":[{"type":"GIT","repo":"https://github.com/drupal/drupal","events":[{"introduced":"0"},{"last_affected":"2700c5afb6c3936041db413872eea82dc0bd4fe4"},{"introduced":"0"},{"last_affected":"0faf8a707ac80ccba7768596bc3a195eb98d89fc"}],"database_specific":{"versions":[{"introduced":"0"},{"last_affected":"10.0.0"},{"introduced":"0"},{"last_affected":"10.0.1"}]}},{"type":"GIT","repo":"https://github.com/guzzle/guzzle","events":[{"introduced":"0"},{"last_affected":"df897ae757ad329d2affc38ffb5bbce782b2b510"},{"introduced":"0"},{"last_affected":"df897ae757ad329d2affc38ffb5bbce782b2b510"},{"introduced":"0"},{"last_affected":"df897ae757ad329d2affc38ffb5bbce782b2b510"},{"fixed":"3f808fba627f2c5b69e2501217bf31af349c1427"}],"database_specific":{"versions":[{"introduced":"0"},{"last_affected":"6.0"},{"introduced":"0"},{"last_affected":"6.0"},{"introduced":"0"},{"last_affected":"6.0"}]}},{"type":"GIT","repo":"https://github.com/php/php-src","events":[{"introduced":"0"},{"last_affected":"da35db3ec5fc4b27087292c067a6ea1d0f77bf8f"},{"introduced":"0"},{"last_affected":"400e65e955f08ad6ae57c1a15be04d5852107252"},{"introduced":"2c2d0de09e522fe097bfcebfb758171eb6aa5270"},{"fixed":"bcd100d812b525c982cf75d6c6dabe839f61634a"},{"introduced":"fc1df8e7a6886e29a6ed5bef3f674ac61164e847"},{"fixed":"38980c9ea4156ce52a53f9f3e1007ea3d787fa11"},{"introduced":"60fffd296abce5fc071f3c173c25a2696cf683c6"},{"last_affected":"a36407215f69ba2debf77933dcb3faa0c3ba2d04"},{"introduced":"0"},{"last_affected":"5dc92c2117cafc61daaaaa240fd46c3ac33872a4"},{"introduced":"5dc92c2117cafc61daaaaa240fd46c3ac33872a4"},{"fixed":"d35e577a1bd0b35b9386cea97cddc73fd98eed6d"}],"database_specific":{"versions":[{"introduced":"0"},{"last_affected":"6-NA"},{"introduced":"0"},{"last_affected":"7-NA"},{"introduced":"5.5.0"},{"fixed":"5.5.38"},{"introduced":"5.6.0"},{"fixed":"5.6.24"},{"introduced":"7.0.0"},{"last_affected":"7.0.8"},{"introduced":"0"},{"last_affected":"8.0"},{"introduced":"8.0.0"},{"fixed":"8.1.7"}]}}],"versions":["1.0","10.0.0","10.0.0-alpha1","10.0.0-alpha3","10.0.0-alpha4","10.0.0-alpha5","10.0.0-alpha6","10.0.0-alpha7","10.0.0-beta1","10.0.0-beta2","10.0.0-rc1","10.0.0-rc2","10.0.0-rc3","10.0.1","2.0","3.0.1","4.0.0","4.0.0-rc.1","4.0.0-rc.2","4.0.1","4.0.2","4.1.0","4.1.1","4.1.2","4.1.3","4.1.4","4.1.5","4.1.6","4.1.7","4.1.8","4.2.0","4.2.1","4.2.2","4.2.3","5.0-beta-1","5.0-beta-2","5.0-rc-1","5.0-rc-2","5.0.0","5.0.1","5.0.2","5.0.3","5.1.0","5.2.0","5.3.0","6.0-beta-1","6.0-beta-2","6.0-beta-3","6.0-beta-4","6.0-rc-1","6.0-rc-2","6.0-rc-3","6.0.0","6.0.1","6.0.2","6.1.0","6.1.1","6.2.0","7.0","7.0-alpha1","7.0-alpha2","7.0-alpha3","7.0-alpha4","7.0-alpha5","7.0-alpha6","7.0-alpha7","7.0-beta1","7.0-beta2","7.0-beta3","7.0-rc-1","7.0-rc-2","7.0-rc-3","7.0-rc-4","7.0-unstable-1","7.0-unstable-10","7.0-unstable-2","7.0-unstable-3","7.0-unstable-4","7.0-unstable-5","7.0-unstable-6","7.0-unstable-7","8.0-alpha10","8.0-alpha11","8.0-alpha12","8.0-alpha13","8.0-alpha2","8.0-alpha3","8.0-alpha4","8.0-alpha5","8.0-alpha6","8.0-alpha7","8.0-alpha8","8.0-alpha9","8.0.0","8.0.0-alpha14","8.0.0-alpha15","8.0.0-beta1","8.0.0-beta10","8.0.0-beta11","8.0.0-beta12","8.0.0-beta13","8.0.0-beta14","8.0.0-beta15","8.0.0-beta16","8.0.0-beta2","8.0.0-beta3","8.0.0-beta4","8.0.0-beta5","8.0.0-beta6","8.0.0-beta7","8.0.0-beta9","8.0.0-rc1","8.0.0-rc2","8.0.0-rc3","8.0.0-rc4","8.1.0-beta1","9.0.0-alpha1","9.0.0-alpha2","POST_64BIT_BRANCH_MERGE","POST_AST_MERGE","POST_PHP7_NSAPI_REMOVAL","POST_PHP7_REMOVALS","POST_PHPNG_MERGE","PRE_64BIT_BRANCH_MERGE","PRE_AST_MERGE","PRE_PHP7_EREG_MYSQL_REMOVALS","PRE_PHP7_NSAPI_REMOVAL","PRE_PHP7_REMOVALS","php-5.6.24RC1","php-7.0.8","php-7.0.8RC1","php-8.0.0","php-8.1.7RC1","start","v1.0.0","v1.0.0beta1","v1.0.1","v1.0.2","v1.0.3","v2.0.0","v2.0.1","v2.0.2","v2.0.3","v2.0.4","v2.0.5","v2.1.0","v2.1.1","v2.1.2","v2.1.3","v2.1.4","v2.2.0","v2.2.1","v2.2.2","v2.2.3","v2.2.4","v2.3.0","v2.3.1","v2.3.2","v2.4.0","v2.4.1","v2.5.0","v2.6.0","v2.6.1","v2.6.2","v2.6.3","v2.6.4","v2.6.5","v2.6.6","v2.7.0","v2.7.1","v2.7.2","v2.8.0","v2.8.1","v2.8.2","v2.8.3","v2.8.4","v2.8.5","v2.8.6","v2.8.7","v2.8.8","v3.0.0","v3.0.1","v3.0.2","v3.0.3","v3.0.4","v3.0.5","v3.0.6","v3.0.7","v3.1.0","v3.1.1","v3.1.2","v3.2.0","v3.3.0","v3.3.1","v3.4.0","v3.4.1","v3.4.2","v3.4.3","v3.5.0","v3.6.0","v3.7.0","v3.7.1","v3.7.2","v3.7.3","v3.7.4","v3.8.0","v3.8.1"],"database_specific":{"source":"https://storage.googleapis.com/cve-osv-conversion/osv-output/CVE-2016-5385.json","unresolved_ranges":[{"events":[{"introduced":"0"},{"last_affected":"12.0.0"}]},{"events":[{"introduced":"0"},{"last_affected":"12.2.2"}]},{"events":[{"introduced":"0"},{"last_affected":"12.3.2"}]},{"events":[{"introduced":"0"},{"last_affected":"23"}]},{"events":[{"introduced":"0"},{"last_affected":"24"}]},{"events":[{"introduced":"0"},{"last_affected":"5.09"}]},{"events":[{"introduced":"0"},{"last_affected":"7.5.5.0"}]},{"events":[{"introduced":"0"},{"last_affected":"42.1"}]}]}}],"schema_version":"1.7.5","severity":[{"type":"CVSS_V3","score":"CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H"}]}