CVE-2016-10397

Name of the Vulnerable Software and Affected Versions PHP versions prior to 5.6.28 PHP versions 7.x prior to 7.0.13

Description The issue arises from incorrect handling of various URI components in the URL parser, which could allow attackers to bypass hostname-specific URL checks. This is demonstrated by inputs such as 'evil.example.com:80#@good.example.com/' and 'evil.example.com:80?@good.example.com/' to the parse url function. The vulnerability exists due to insufficient input validation in the PHP interpreter's parse url function, potentially allowing a remote attacker to substitute the displayed URL.

Recommendations For PHP versions prior to 5.6.28, update to version 5.6.28 or later. For PHP versions 7.x prior to 7.0.13, update to version 7.0.13 or later. As a temporary workaround, consider restricting the use of the parse url function until a patch is available.