CVE-2016-7398 – A type confusion vulnerability in PHP's pecl-ht... (How to Fix)

Q: What is the severity of CVE-2016-7398?

CVE-2016-7398 has a CVSS score of 9.8 (CRITICAL). A type confusion vulnerability in PHP's pecl-http extension allows attackers to crash PHP processes and potentially execute arbitrary code via crafted HTTP requests. This affects PHP applications using the vulnerable pecl-http extension versions. The vulnerability is remotely exploitable without authentication.

📋 TL;DR

A type confusion vulnerability in PHP's pecl-http extension allows attackers to crash PHP processes and potentially execute arbitrary code via crafted HTTP requests. This affects PHP applications using the vulnerable pecl-http extension versions. The vulnerability is remotely exploitable without authentication.

💻 Affected Systems

Products:

PHP pecl-http extension

Versions: pecl-http 3.1.0beta2 (PHP 7) and earlier, 2.6.0beta2 (PHP 5) and earlier

Operating Systems: All operating systems running PHP with pecl-http extension

Default Config Vulnerable: ⚠️ Yes

Notes: Only affects systems with pecl-http extension installed and enabled. Not part of default PHP installation.

📦 What is this software?

⚠️ Risk & Real-World Impact

🔴

Worst Case

Remote code execution leading to complete system compromise, data theft, or service disruption.

🟠

Likely Case

PHP process crashes causing denial of service and potential memory corruption that could be leveraged for code execution.

🟢

If Mitigated

Limited impact if proper input validation and WAF rules are in place to block malicious HTTP requests.

🌐 Internet-Facing: HIGH

🏢 Internal Only: MEDIUM

🎯 Exploit Status

Public PoC: ⚠️ Yes

Weaponized: LIKELY

Unauthenticated Exploit: ⚠️ Yes

Complexity: LOW

Crafted HTTP requests can trigger the vulnerability. Public bug reports demonstrate the issue.

🛠️ Fix & Mitigation

✅ Official Fix

Patch Version: pecl-http 3.1.0 stable or 2.6.0 stable

Vendor Advisory: https://bugs.php.net/bug.php?id=73055

Restart Required: Yes

Instructions:

1. Update pecl-http extension to version 3.1.0 or later for PHP 7, or 2.6.0 or later for PHP 5. 2. Restart PHP-FPM or web server. 3. Verify the update with 'php -m | grep http'.

🔧 Temporary Workarounds

Disable pecl-http extension

linux

Remove or disable the vulnerable extension if not required

phpdismod http
Remove 'extension=http.so' from php.ini

Web Application Firewall rules

all

Block malicious HTTP requests targeting the merge_param function

🧯 If You Can't Patch

Isolate affected systems behind reverse proxies with strict input validation
Implement network segmentation to limit attack surface

🔍 How to Verify

Check if Vulnerable:

Run 'php -m | grep http' to check if pecl-http is installed, then check version with 'php -i | grep "http version"'

Check Version:

php -i | grep "http version"

Verify Fix Applied:

Verify pecl-http version is 3.1.0+ (PHP 7) or 2.6.0+ (PHP 5) using 'php -i | grep "http version"'

📡 Detection & Monitoring

Log Indicators:

PHP segmentation fault errors
Unexpected process crashes in PHP error logs
HTTP requests with unusual parameter structures

Network Indicators:

HTTP requests with crafted parameter arrays targeting pecl-http endpoints

SIEM Query:

source="php_error.log" AND ("segmentation fault" OR "SIGSEGV") AND process="php"

📊 Metadata

CVE ID: CVE-2016-7398

CVSS v3 Score: 9.8 (CRITICAL)

CVSS Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

CWE: CWE-704

Published: September 6, 2019

Last Updated: November 21, 2024

🔗 References

https://bugs.php.net/bug.php?id=73055 Exploit,Mailing List,Vendor Advisory
https://bugs.php.net/bug.php?id=73055&edit=1 Exploit,Vendor Advisory
https://github.com/m6w6/ext-http/commit/17137d4ab1ce81a2cee0fae842340a344ef3da83 Patch,Third Party Advisory
https://lists.debian.org/debian-lts-announce/2019/09/msg00022.html
https://bugs.php.net/bug.php?id=73055 Exploit,Mailing List,Vendor Advisory
https://bugs.php.net/bug.php?id=73055&edit=1 Exploit,Vendor Advisory
https://github.com/m6w6/ext-http/commit/17137d4ab1ce81a2cee0fae842340a344ef3da83 Patch,Third Party Advisory
https://lists.debian.org/debian-lts-announce/2019/09/msg00022.html

📤 Share & Export

📄 Export Markdown 📋 Export JSON

🔗 Related Vulnerabilities

If you're affected by CVE-2016-7398, you might also want to check these:

📋 TL;DR

💻 Affected Systems

📦 What is this software?

Ext Http by Php

Ext Http by Php

Ext Http by Php

Ext Http by Php

Ext Http by Php

Ext Http by Php

Ext Http by Php

Ext Http by Php

Ext Http by Php

Ext Http by Php

⚠️ Risk & Real-World Impact

Worst Case

Likely Case

If Mitigated

🎯 Exploit Status

🛠️ Fix & Mitigation

✅ Official Fix

Instructions:

🔧 Temporary Workarounds

Disable pecl-http extension

Web Application Firewall rules

🧯 If You Can't Patch

🔍 How to Verify

Check if Vulnerable:

Check Version:

Verify Fix Applied:

📡 Detection & Monitoring

Log Indicators:

Network Indicators:

SIEM Query:

📊 Metadata

🔗 References

📤 Share & Export

🔗 Related Vulnerabilities