In PHP prior to 5.6.28 and 7.x prior to 7.0.13, incorrect handling of various URI components in the URL parser could be used by malicious users to bypass hostname-specific URL checks, as demonstrated by evil.example.com:80#@good.example.com/ and evil.example.com:80?@good.example.com/ inputs to the parse_url function (implemented in the php_url_parse_ex function in ext/standard/url.c).
Vulnerable Product | Search on Vulmon | Subscribe to Product |
---|---|---|
php php 7.0.11 |
||
php php 7.0.4 |
||
php php 7.0.3 |
||
php php 7.0.1 |
||
php php 7.0.12 |
||
php php |
||
php php 7.0.7 |
||
php php 7.0.2 |
||
php php 7.0.9 |
||
php php 7.0.8 |
||
php php 7.0.5 |
||
php php 7.0.10 |
||
php php 7.0.0 |
||
php php 7.0.6 |