PT-2019-7841 · Php · Pecl Http

Hlt99

Published

2019-09-06

Updated

2019-09-20

CVE-2016-7398

CVSS v3.1

9.8

Critical

Vector

AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

Name of the Vulnerable Software and Affected Versions pecl-http extension versions 3.1.0beta2 and earlier (PHP 7) pecl-http extension versions 2.6.0beta2 and earlier (PHP 5)

Description A type confusion issue in the merge param() function of php http params.c allows attackers to crash PHP and possibly execute arbitrary code via crafted HTTP requests.

Recommendations For pecl-http extension versions 3.1.0beta2 and earlier (PHP 7), update to a version that fixes the issue in the merge param() function. For pecl-http extension versions 2.6.0beta2 and earlier (PHP 5), update to a version that fixes the issue in the merge param() function. As a temporary workaround, consider restricting access to the merge param() function until a patch is available.

Exploit

Fix

Incorrect Type Conversion or Cast

Found an issue in the description? Have something to add? Feel free to write us 👾

dbugs@ptsecurity.com

Weakness Enumeration

CWE-704

Related Identifiers

CVE-2016-7398

DLA-1929-1

Affected Products

Pecl Http

PT-2019-7841 · Php · Pecl Http

CVE-2016-7398

Weakness Enumeration

Related Identifiers

Affected Products

References · 17