Bug 1437837 (CVE-2017-7272)

Summary: CVE-2017-7272 php: potential SSRF via fsockopen
Product: [Other] Security Response Reporter: Martin Prpič <mprpic>
Component: vulnerabilityAssignee: Red Hat Product Security <security-response-team>
Status: CLOSED WONTFIX QA Contact:
Severity: low Docs Contact:
Priority: low    
Version: unspecifiedCC: abhgupta, fedora, hhorak, jorton, kseifried, rcollet, sardella, tiwillia, webstack-team
Target Milestone: ---Keywords: Security
Target Release: ---   
Hardware: All   
OS: Linux   
Whiteboard: impact=low,public=20170327,reported=20170327,source=cve,cvss3=5.4/CVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:C/C:L/I:L/A:N,fedora-all/php=affected,openshift-enterprise-2/php=wontfix,rhel-5/php=wontfix,rhel-5/php53=wontfix,rhel-6/php=wontfix,rhel-7/php=wontfix,rhscl-2/rh-php56-php=wontfix,rhscl-2/rh-php70-php=wontfix
Fixed In Version: Doc Type: If docs needed, set a value
Doc Text:
Story Points: ---
Clone Of: Environment:
Last Closed: 2017-03-31 09:43:24 UTC Type: ---
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: ---
Bug Depends On: 1437838    
Bug Blocks:    

Description Martin Prpič 2017-03-31 09:42:22 UTC
A potential server-side request forgery flaw was found in the way PHP accepted an fsockopen hostname argument with an expectation that the port number was constrained. Because :port syntax is recognized, fsockopen would use the port number that was specified in the hostname argument, instead of the port number in the second argument of the function. This could potentially allow a remote attacker to generate requests from a vulnerable PHP application that would target an application on the attacker-supplied port.

Upstream bug:

https://bugs.php.net/bug.php?id=74216

Upstream patch:

https://github.com/php/php-src/commit/bab0b99f376dac9170ac81382a5ed526938d595a

Comment 1 Martin Prpič 2017-03-31 09:43:00 UTC
Created php tracking bugs for this issue:

Affects: fedora-all [bug 1437838]

Comment 2 Remi Collet 2017-03-31 15:16:56 UTC
Fixed in 7.0.18RC1 and 7.1.4RC1

Notice, the fix for this minor security issue create a minor behavior change (regression), at least noticed for "proxy" attribute of stream context.

See:
guzzle/guzzle report https://github.com/guzzle/guzzle/issues/1790
guzzle/ringphp report https://github.com/guzzle/RingPHP/issues/41

Possible fix (probably not accepted)
https://github.com/php/php-src/pull/2443

Comment 3 Remi Collet 2017-04-27 13:08:30 UTC
while the patch was in 7.0.18/7.1.4 we discovered it breaks lot of applications relying on undocumented behavior.

See 
https://externals.io/thread/831
https://bugs.php.net/74429
https://bugs.php.net/74432

So change have been reverted (in 7.0.19RC1 / 7.1.5R1)