Test ID:	1.3.6.1.4.1.25623.1.0.108874
Category:	Web application abuses
Title:	PHP 'CVE-2017-7189' Improper Input Validation Vulnerability - Linux
Summary:	PHP is improperly validating input from untrusted input.
Description:	Summary: PHP is improperly validating input from untrusted input. Vulnerability Insight: main/streams/xp_socket.c in PHP misparses fsockopen calls, such as by interpreting fsockopen('127.0.0.1:80', 443) as if the address/port were 127.0.0.1:80:443, which is later truncated to 127.0.0.1:80. This behavior has a security risk if the explicitly provided port number (i.e., 443 in this example) is hardcoded into an application as a security policy, but the hostname argument (i.e., 127.0.0.1:80 in this example) is obtained from untrusted input. Affected Software/OS: All PHP versions since 4.3.0 up to the latest 7.x versions. Note: PHP versions 7.0.18 and 7.1.4 introduced a fix which was reverted again in version 7.0.19 / 7.1.5 respectively. Solution: No solution was made available by the vendor. General solution options are to upgrade to a newer release, disable respective features, remove the product or replace the product by another one. Note: PHP versions 7.0.18 and 7.1.4 introduced a fix which was reverted again in version 7.0.19 / 7.1.5 respectively and the fix wasn't introduced again as of today (08-2020). CVSS Score: 5.0 CVSS Vector: AV:N/AC:L/Au:N/C:P/I:N/A:N
Cross-Ref:	Common Vulnerability Exposure (CVE) ID: CVE-2017-7189 https://bugs.php.net/bug.php?id=74192 https://github.com/php/php-src/commit/bab0b99f376dac9170ac81382a5ed526938d595a
Copyright	Copyright (C) 2020 Greenbone AG

This is only one of 145615 vulnerability tests in our test suite. Find out more about running a complete security audit. To run a free test of this vulnerability against your system, register below.