PatchSiren cyber security CVE debrief
CVE-2016-5385 Festo Didactic SE CVE debrief
CVE-2016-5385 is the classic PHP "httpoxy" issue: if untrusted client input is allowed to influence the HTTP_PROXY environment variable, an attacker can steer outbound HTTP requests through an arbitrary proxy. In the supplied Festo Didactic MES PC advisory, the vendor maps the issue to deployments that use bundled PHP/XAMPP components and recommends replacing XAMPP with Factory Control Panel, which includes fixes.
- Vendor
- Festo Didactic SE
- Product
- MES PC
- CVSS
- HIGH 8.1
- CISA KEV
- Not listed in stored evidence
- Original CVE published
- 2024-02-27
- Original CVE updated
- 2026-01-27
- Advisory published
- 2024-02-27
- Advisory updated
- 2026-01-27
Who should care
Operators and maintainers of Festo Didactic SE MES PC systems, especially any deployment that includes PHP, XAMPP, CGI-style handling, or applications that read HTTP_PROXY or make outbound HTTP requests. Security teams should also care if the MES PC is integrated with services that depend on proxy settings for external connectivity.
Technical summary
The vulnerability stems from a namespace collision between client-controlled HTTP headers and server environment variables. The supplied advisory states that PHP through 7.0.8 does not address RFC 3875 section 4.1.18 namespace conflicts, so a crafted Proxy header may populate HTTP_PROXY. If an application calls getenv('HTTP_PROXY') or runs PHP in a CGI configuration, outbound HTTP traffic can be redirected to an attacker-chosen proxy. The advisory’s remediation path is to move away from the vulnerable XAMPP-based setup and use Factory Control Panel with fixes.
Defensive priority
High. This is remotely triggerable over HTTP and can affect trust in outbound network traffic. Prioritize environments where MES PC components depend on PHP or CGI behavior, or where proxy settings are used for integrations, updates, telemetry, or external web access.
Recommended defensive actions
- Confirm whether the MES PC deployment includes PHP/XAMPP or any CGI configuration that can expose HTTP_PROXY to applications.
- Replace the vulnerable XAMPP-based installation with the vendor-provided Factory Control Panel version that includes fixes, as stated in the advisory.
- Audit applications and scripts for getenv('HTTP_PROXY') or similar proxy-variable trust patterns and remove dependence on client-influenced environment variables.
- Review any outbound HTTP integrations on MES PC hosts to ensure they do not inherit proxy settings from request-derived headers.
- Apply network and application-layer controls that block or sanitize unexpected Proxy headers before they reach server-side components.
Evidence notes
All substantive claims above come from the supplied CSAF description and remediation data: the advisory explicitly describes the PHP 7.0.8-and-earlier httpoxy condition, the crafted Proxy header / HTTP_PROXY path, the getenv('HTTP_PROXY') and CGI examples, and the vendor remediation replacing XAMPP on MES PCs with Factory Control Panel. Timing references reflect the provided advisory publication and republication dates, not the age of the underlying PHP vulnerability.
Official resources
-
CVE-2016-5385 CVE record
CVE.org
-
CVE-2016-5385 NVD detail
NVD
-
Source item URL
cisa_csaf
-
Source reference
Reference
-
Source reference
Reference
-
Source reference
Reference
-
Source reference
Reference
-
Source reference
Reference
-
Source reference
Reference
-
Source reference
Reference
The supplied advisory was initially published on 2024-02-27 and later republished on 2026-01-27. It repackages the longstanding PHP httpoxy weakness as it applies to the Festo Didactic SE MES PC environment, with vendor remediation pointing