CVE-2017-7189

Name of the Vulnerable Software and Affected Versions PHP versions prior to 2017-03-07

Description The issue is related to the misparsing of fsockopen calls in the main/streams/xp socket.c component of PHP. This occurs when the function interprets the address and port in a way that can lead to a security risk, especially if the port number is hardcoded as a security policy but the hostname argument comes from untrusted input. For example, fsockopen('127.0.0.1:80', 443) is interpreted as if the address/port were 127.0.0.1:80:443, which is later truncated to 127.0.0.1:80. This behavior poses a risk if an attacker can manipulate the hostname argument.

Recommendations For PHP versions prior to 2017-03-07, consider updating to a version released after 2017-03-07 to resolve the issue. As a temporary workaround, ensure that the hostname argument in fsockopen calls comes from trusted sources to minimize the risk of exploitation. Avoid using untrusted input for the hostname argument until the issue is resolved.