Description
main/streams/xp_socket.c in PHP 7.x before 2017-03-07 misparses fsockopen calls, such as by interpreting fsockopen('127.0.0.1:80', 443) as if the address/port were 127.0.0.1:80:443, which is later truncated to 127.0.0.1:80. This behavior has a security risk if the explicitly provided port number (i.e., 443 in this example) is hardcoded into an application as a security policy, but the hostname argument (i.e., 127.0.0.1:80 in this example) is obtained from untrusted input.
Remediation
References
Related Vulnerabilities
WordPress Plugin Login by Auth0 Multiple Vulnerabilities (3.11.3)
PHP Loop with Unreachable Exit Condition ('Infinite Loop') Vulnerability (CVE-2022-31628)
Moodle Improper Input Validation Vulnerability (CVE-2012-0801)
Opencart Improper Control of Generation of Code ('Code Injection') Vulnerability (CVE-2023-47444)