Bug 1437837 (CVE-2017-7272) - CVE-2017-7272 php: potential SSRF via fsockopen
Summary: CVE-2017-7272 php: potential SSRF via fsockopen
Keywords:
Status: CLOSED WONTFIX
Alias: CVE-2017-7272
Product: Security Response
Classification: Other
Component: vulnerability
Version: unspecified
Hardware: All
OS: Linux
low
low
Target Milestone: ---
Assignee: Red Hat Product Security
QA Contact:
URL:
Whiteboard:
Depends On: 1437838
Blocks:
TreeView+ depends on / blocked
 
Reported: 2017-03-31 09:42 UTC by Martin Prpič
Modified: 2019-09-29 14:08 UTC (History)
9 users (show)

Fixed In Version:
Doc Type: If docs needed, set a value
Doc Text:
Clone Of:
Environment:
Last Closed: 2017-03-31 09:43:24 UTC


Attachments (Terms of Use)

Description Martin Prpič 2017-03-31 09:42:22 UTC
A potential server-side request forgery flaw was found in the way PHP accepted an fsockopen hostname argument with an expectation that the port number was constrained. Because :port syntax is recognized, fsockopen would use the port number that was specified in the hostname argument, instead of the port number in the second argument of the function. This could potentially allow a remote attacker to generate requests from a vulnerable PHP application that would target an application on the attacker-supplied port.

Upstream bug:

https://bugs.php.net/bug.php?id=74216

Upstream patch:

https://github.com/php/php-src/commit/bab0b99f376dac9170ac81382a5ed526938d595a

Comment 1 Martin Prpič 2017-03-31 09:43:00 UTC
Created php tracking bugs for this issue:

Affects: fedora-all [bug 1437838]

Comment 2 Remi Collet 2017-03-31 15:16:56 UTC
Fixed in 7.0.18RC1 and 7.1.4RC1

Notice, the fix for this minor security issue create a minor behavior change (regression), at least noticed for "proxy" attribute of stream context.

See:
guzzle/guzzle report https://github.com/guzzle/guzzle/issues/1790
guzzle/ringphp report https://github.com/guzzle/RingPHP/issues/41

Possible fix (probably not accepted)
https://github.com/php/php-src/pull/2443

Comment 3 Remi Collet 2017-04-27 13:08:30 UTC
while the patch was in 7.0.18/7.1.4 we discovered it breaks lot of applications relying on undocumented behavior.

See 
https://externals.io/thread/831
https://bugs.php.net/74429
https://bugs.php.net/74432

So change have been reverted (in 7.0.19RC1 / 7.1.5R1)


Note You need to log in before you can comment on or make changes to this bug.