PHP through 7.1.3 enables potential SSRF in applications that accept an fsockopen hostname argument with an expectation that the port number is constrained. Because a :port syntax is recognized, fsockopen will use the port number that is specified in the hostname argument, instead of the port number in the second argument of the function. http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2017-7272