CVE-2016-5385
First published: Wed Jul 15 2015(Updated: )
Dominic Scheirlinck of VendHQ reports: Many software projects and vendors have implemented support for the “Proxy” request header in their respective CGI implementations and languages by creating the “HTTP_PROXY” environmental variable based on the header value. When this variable is used (in many cases automatically by various HTTP client libraries) any outgoing requests generated in turn from the attackers original request can be redirected to an attacker controlled proxy. This allows attackers to view potentially sensitive information, reply with malformed data, or to hold connections open causing a potential denial of service. The PHP web framework contains will automatically populate the HTTP_PROXY environmental variable with a user supplied "Proxy" header.
Credit: secalert@redhat.com
| Affected Software | Affected Version | How to fix |
|---|---|---|
| composer/amphp/artax | >=2<2.0.4>0.7.1<1.0.4 | |
| composer/bugsnag/bugsnag-laravel | >=2<2.0.2 | 2.0.2 |
| composer/drupal/core | >=8.0<8.1.0>=8.1.0<8.1.7 | |
| composer/guzzlehttp/guzzle | >=6<6.2.1>=4.0.0-rc2<4.2.4>=5<5.3.1 | 6.2.1 |
| composer/drupal/drupal | >=8.0<8.1.0>=8.1.0<8.1.7 | |
| composer/padraic/humbug_get_contents | <1.1.2 | 1.1.2 |
| composer/typo3/cms | >=8.0.0<8.1.0>=8.1.0<8.2.0>=8.2.0<8.2.1 | |
| composer/typo3/cms | >=8.0.0<8.2.1 | 8.2.1 |
| composer/drupal/drupal | >=8.0<8.1.7 | 8.1.7 |
| composer/bugsnag/bugsnag-laravel | >=2<2.0.2 | 2.0.2 |
| composer/amphp/artax | >0.7.1<1.0.4 | 1.0.4 |
| composer/padraic/humbug_get_contents | <1.1.2 | 1.1.2 |
| composer/amphp/artax | >=2.0.0<2.0.4 | 2.0.4 |
| composer/drupal/core | >=8.0<8.1.7 | 8.1.7 |
| composer/guzzlehttp/guzzle | >=5<5.3.1 | 5.3.1 |
| composer/guzzlehttp/guzzle | >=4.0.0-rc2<4.2.4 | 4.2.4 |
| composer/guzzlehttp/guzzle | >=6<6.2.1 | 6.2.1 |
| PHP | <7.0.9 | 7.0.9 |
| Oracle Communications User Data Repository | =10.0.0 | |
| Oracle Communications User Data Repository | =10.0.1 | |
| Oracle Communications User Data Repository | =12.0.0 | |
| Oracle Enterprise Manager Ops Center | =12.2.2 | |
| Oracle Enterprise Manager Ops Center | =12.3.2 | |
| Oracle Linux | =6 | |
| Oracle Linux | =7 | |
| Fedora | =23 | |
| Fedora | =24 | |
| All of | ||
| HP StoreEver MSL6480 Tape Library Firmware | <=5.09 | |
| HP StoreEver MSL6480 Tape Library Firmware | ||
| HP System Management Homepage | <=7.5.5.0 | |
| PHP | >=5.5.0<5.5.38 | |
| PHP | >=5.6.0<5.6.24 | |
| PHP | >=7.0.0<=7.0.8 | |
| redhat enterprise Linux desktop | =6.0 | |
| redhat enterprise Linux server | =6.0 | |
| redhat enterprise Linux workstation | =6.0 | |
| Debian | =8.0 | |
| openSUSE | =42.1 | |
| Drupal | >=8.0.0<8.1.7 | |
| HP StoreEver MSL6480 Tape Library Firmware | <=5.09 | |
| HP StoreEver MSL6480 Tape Library Firmware |
Never miss a vulnerability like this again
Sign up to SecAlerts for real-time vulnerability data matched to your software, aggregated from hundreds of sources.
Reference Links
- https://twitter.com/asyncphp/status/755136084917583872
- https://github.com/bugsnag/bugsnag-laravel/releases/tag/v2.0.2
- https://www.drupal.org/SA-CORE-2016-003
- https://github.com/guzzle/guzzle/releases/tag/6.2.1
- https://github.com/humbug/file_get_contents/releases/tag/1.1.2
- https://typo3.org/security/advisory/typo3-core-sa-2016-019
- https://nvd.nist.gov/vuln/detail/CVE-2016-5385
- https://bugzilla.redhat.com/show_bug.cgi?id=1353794
- https://github.com/FriendsOfPHP/security-advisories/blob/master/guzzlehttp/guzzle/CVE-2016-5385.yaml
- https://h20566.www2.hpe.com/hpsc/doc/public/display?docLocale=en_US&docId=emr_na-hpesbhf03770en_us
- https://h20566.www2.hpe.com/portal/site/hpsc/public/kb/docDisplay?docId=emr_na-c05320149
- https://h20566.www2.hpe.com/portal/site/hpsc/public/kb/docDisplay?docId=emr_na-c05333297
- https://h20566.www2.hpe.com/portal/site/hpsc/public/kb/docDisplay?docId=emr_na-c05390722
- https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/7RMYXAVNYL2MOBJTFATE73TOVOEZYC5R/
- https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/GXFEIMZPSVGZQQAYIQ7U7DFVX3IBSDLF/
- https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/KZOIUYZDBWNDDHC6XTOLZYRMRXZWTJCP/
- https://security.gentoo.org/glsa/201611-22
- http://lists.opensuse.org/opensuse-updates/2016-08/msg00003.html
- http://rhn.redhat.com/errata/RHSA-2016-1609.html
- http://rhn.redhat.com/errata/RHSA-2016-1610.html
- http://rhn.redhat.com/errata/RHSA-2016-1611.html
- http://rhn.redhat.com/errata/RHSA-2016-1612.html
- http://rhn.redhat.com/errata/RHSA-2016-1613.html
- http://www.debian.org/security/2016/dsa-3631
- http://www.kb.cert.org/vuls/id/797896
- http://www.oracle.com/technetwork/security-advisory/cpujan2018-3236628.html
- http://www.oracle.com/technetwork/security-advisory/cpujul2017-3236622.html
- http://www.oracle.com/technetwork/topics/security/linuxbulletinjul2016-3090544.html
- http://www.securityfocus.com/bid/91821
- http://www.securitytracker.com/id/1036335
- https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/7RMYXAVNYL2MOBJTFATE73TOVOEZYC5R/
- https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/GXFEIMZPSVGZQQAYIQ7U7DFVX3IBSDLF/
- https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/KZOIUYZDBWNDDHC6XTOLZYRMRXZWTJCP/
- https://github.com/bugsnag/bugsnag-laravel/pull/143
- https://github.com/bugsnag/bugsnag-laravel/pull/145
- https://github.com/humbug/file_get_contents/pull/23
- https://github.com/humbug/file_get_contents/pull/23/commits/848e8c282a863654e76bd958acfb57c81cb739b5
- https://github.com/amphp/artax/commit/81254742812a5a9adf4b085f543f3f21daedcd97
- https://github.com/amphp/artax/commit/b60cf493c9e577a3678865f620b1eb61ab3d7ca9
- https://github.com/guzzle/guzzle/blob/4.x/CHANGELOG.md#424-2016-07-18
- https://github.com/guzzle/guzzle/blob/5.3/CHANGELOG.md#531---2016-07-18
- https://github.com/guzzle/guzzle/blob/master/CHANGELOG.md#622---2016-10-08
- https://github.com/advisories/GHSA-m6ch-gg5f-wxx3 (Advisory)
- https://bugzilla.redhat.com/show_bug.cgi/show_bug.cgi?id=1353794#c2
- https://github.com/guzzle/guzzle/blob/443a7a62/src/Client.php#L166
- https://bugzilla.redhat.com/show_bug.cgi/show_bug.cgi?id=1353794#c9
- http://git.php.net/?p=php-src.git;a=commit;h=98b9dfaec95e6f910f125ed172cdbd25abd006ec
- http://git.php.net/?p=php-src.git;a=commit;h=fb4a6dc0f1df106dae84c9d8f3ec53cc0da7231b
- https://rhn.redhat.com/errata/RHSA-2016-1610.html
- https://rhn.redhat.com/errata/RHSA-2016-1612.html
- https://rhn.redhat.com/errata/RHSA-2016-1611.html
- https://rhn.redhat.com/errata/RHSA-2016-1609.html
- https://rhn.redhat.com/errata/RHSA-2016-1613.html
- https://httpoxy.org/
- https://www.php.net/ChangeLog-7.php#7.0.9 (Advisory)
- https://github.com/FriendsOfPHP/security-advisories/blob/master/amphp/artax/CVE-2016-5385.yaml
- https://github.com/FriendsOfPHP/security-advisories/blob/master/bugsnag/bugsnag-laravel/CVE-2016-5385.yaml
- https://github.com/FriendsOfPHP/security-advisories/blob/master/drupal/core/CVE-2016-5385.yaml
- https://github.com/FriendsOfPHP/security-advisories/blob/master/drupal/drupal/CVE-2016-5385.yaml
- https://github.com/FriendsOfPHP/security-advisories/blob/master/padraic/humbug_get_contents/CVE-2016-5385.yaml
- https://github.com/FriendsOfPHP/security-advisories/blob/master/typo3/cms/CVE-2016-5385.yaml
Frequently Asked Questions
What is the severity of CVE-2016-5385?
CVE-2016-5385 is classified as a medium severity vulnerability.
How do I fix CVE-2016-5385?
To fix CVE-2016-5385, update the affected packages to their latest versions as specified in the vulnerability report.
Which software is affected by CVE-2016-5385?
CVE-2016-5385 affects various packages including PHP, Drupal, Guzzle, and many others.
What type of vulnerability is CVE-2016-5385?
CVE-2016-5385 is a vulnerability related to improper handling of the Proxy request header.
Is CVE-2016-5385 being actively exploited?
There have been no public reports indicating that CVE-2016-5385 is currently being actively exploited.
- collector/friends-of-php
- agent/type
- agent/first-publish-date
- agent/remedy
- agent/severity
- agent/weakness
- collector/github-advisory-latest
- source/GitHub
- alias/GHSA-m6ch-gg5f-wxx3
- alias/CVE-2016-5385
- agent/software-canonical-lookup
- agent/references
- agent/description
- collector/redhat-bugzilla
- source/Red Hat
- collector/github-advisory
- collector/mitre-cve
- source/MITRE
- agent/last-modified-date
- agent/event
- agent/trending
- agent/source
- collector/php-changelog
- source/PHP
- agent/software-canonical-lookup-request
- agent/author
- agent/softwarecombine
- agent/tags
- collector/nvd-cve
- source/NVD
- collector/nvd-index
- package-manager/composer
- vendor/php
- canonical/php
- vendor/oracle
- canonical/oracle communications user data repository
- version/oracle communications user data repository/10.0.0
- version/oracle communications user data repository/10.0.1
- version/oracle communications user data repository/12.0.0
- canonical/oracle enterprise manager ops center
- version/oracle enterprise manager ops center/12.2.2
- version/oracle enterprise manager ops center/12.3.2
- canonical/oracle linux
- version/oracle linux/6
- version/oracle linux/7
- vendor/fedoraproject
- canonical/fedora
- version/fedora/23
- version/fedora/24
- vendor/hp
- canonical/hp storeever msl6480 tape library firmware
- version/hp storeever msl6480 tape library firmware/5.09
- canonical/hp system management homepage
- version/hp system management homepage/7.5.5.0
- version/php/5.5.0
- version/php/5.6.0
- version/php/7.0.0
- version/php/7.0.8
- vendor/redhat
- canonical/redhat enterprise linux desktop
- version/redhat enterprise linux desktop/6.0
- canonical/redhat enterprise linux server
- version/redhat enterprise linux server/6.0
- canonical/redhat enterprise linux workstation
- version/redhat enterprise linux workstation/6.0
- vendor/debian
- canonical/debian
- version/debian/8.0
- vendor/opensuse
- canonical/opensuse
- version/opensuse/42.1
- vendor/drupal
- canonical/drupal
- version/drupal/8.0.0