|  support |  documentation |  report a bug |  advanced search |  search howto |  statistics |  random bug |  login
Sec Bug #75505 pfsockopen may cause a security problem
Submitted: 2017-11-09 03:18 UTC Modified: 2018-01-15 13:31 UTC
From: zhihua dot yao at dbappsecurity dot com dot cn Assigned:
Status: Duplicate Package: *Network Functions
PHP Version: 7.1.11 OS: *
Private report: No CVE-ID: 2017-7272
View Add Comment Developer Edit
Anyone can comment on a bug. Have a simpler test case? Does it work for you on a different platform? Let us know!
Just going to say 'Me too!'? Don't clutter the database with that please !
Your email address:
Solve the problem:
28 + 49 = ?
Subscribe to this entry?

 [2017-11-09 03:18 UTC] zhihua dot yao at dbappsecurity dot com dot cn
This bug is related to bug#74216,but they are not the same function.It may cause ssrf vulnerability in Web Application.

Test script:

$fp = pfsockopen("", 443);

Expected result:
It will accept from 443.

Actual result:

hjy@ubuntu:~$ nc -lvv 8000
Listening on [] (family 0, port 8000)
Connection from [] port 8000 [tcp/*] accepted (family 2, sport 53352)


Add a Patch

Pull Requests

Add a Pull Request


AllCommentsChangesGit/SVN commitsRelated reports
 [2017-11-09 16:00 UTC]
-Status: Open +Status: Duplicate
 [2017-11-09 16:00 UTC]
fsockopen and pfsockopen have the same implementation. A fix to #74216  will also fix this case.

bug #74216 has a longer discussion already.
 [2018-01-15 13:31 UTC]
-CVE-ID: +CVE-ID: 2017-7272
 [2018-02-28 22:13 UTC] contacto at agora-security dot com

Has this issue been fixed?

It's not clear. I don't see any reference to CVE-2017-7272 in the Changelog:

I saw that in version:
7.0.18 - Fixed bug #74216 (Correctly fail on invalid IP address ports).
7.1.4 - Fixed bug #74216 (Correctly fail on invalid IP address ports).

7.0.19 - Patch for bug #74216 was reverted.

PHP Copyright © 2001-2023 The PHP Group
All rights reserved.
Last updated: Wed May 31 11:03:37 2023 UTC