CVE-2017-7189

HIGH

PHP 7.0.0-7.0.15 - Improper Input Validation in fsockopen Address Parsing

Title source: llm

Description

main/streams/xp_socket.c in PHP 7.x before 2017-03-07 misparses fsockopen calls, such as by interpreting fsockopen('127.0.0.1:80', 443) as if the address/port were 127.0.0.1:80:443, which is later truncated to 127.0.0.1:80. This behavior has a security risk if the explicitly provided port number (i.e., 443 in this example) is hardcoded into an application as a security policy, but the hostname argument (i.e., 127.0.0.1:80 in this example) is obtained from untrusted input.

References (2)

Core 2

Core References

Patch, Third Party Advisory x_refsource_misc

https://github.com/php/php-src/commit/bab0b99f376dac9170ac81382a5ed526938d595a

View Patch ZIP pw:eip

Permissions Required, Vendor Advisory x_refsource_misc

https://bugs.php.net/bug.php?id=74192

Scores

CVSS v3 7.5

EPSS 0.0159

EPSS Percentile 81.9%

Attack Vector NETWORK

CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N

Details

CWE

CWE-20

Status published

Products (1)

php/php 7.0.0 - 7.0.16

Published Jul 10, 2019

Tracked Since Feb 18, 2026