PHP HTML Entity Encoder Heap Overflow Vulnerability

Thursday, November 2. 2006

Thursday, November 2. 2006



The final version of PHP 5.2.0
has been released today after lots of release candidates. The new version contains lots of bugfixes. Some of these fix several security vulnerabilities. Included is also a fix for the integer overflow in unserialize() that was reported by us a while ago. It also includes a last minute fix for a serious vulnerability we discovered 2 days ago.


PHP's HTML Entity Encoder that is exposed to userinput by the htmlentities() and htmlspecialchars() functions contains a bufferoverflow in UTF-8 character handling. This can be exploited to execute arbitrary code. What an irony that functions supposed to protect against XSS vulnerabilities infact create more serious code execution holes in your applications. An advisory with more detailed information was released here.


This once again proves that it is a good idea to use our Suhosin-Patch because it adds canary and safeunlink protection to the Zend Memory Manager which makes this vulnerability a lot harder or in most cases impossible to exploit.


Suhosin-Patch for PHP 5.2.0 will be released tommorow.


PS: Suhosin-Patch is now also activated by default in OpenBSD.

Posted by Stefan Esser in Security, PHP at 23:59
Comments (2)
Link to this post


Comments
Display comments as (Linear | Threaded)

#1 andreas ()
I really can't understand the security policy of the PHP project -- if there's even one. Why does it take ages to publish security fixes? And why do we only get them by upgrading to a new minor release? Is it so hard to roll a new bugfix release some days after the discovery of the security hole by simply taking the last bugfix release and fixing the security holes? The suhosin patch is great, but an improved upstream security would be even better.
posted on Friday, November 3. 2006
#2 Max wrote (Link) ()
I really can't understand the security policy of the PHP project -- if there's even one. Why does it take ages to publish security fixes? And why do we only get them by upgrading to a new minor release? Is it so hard to roll a new bugfix release some days after the discovery of the security hole by simply taking the last bugfix release and fixing the security holes? The suhosin patch is great, but an improved upstream security would be even better.
posted on Sunday, April 15. 2007

Add Comment

Standard emoticons like :-) and ;-) are converted to images.
 

Submitted comments will be subject to moderation before being displayed.
 
Calendar
Back August '08 Forward
Mon Tue Wed Thu Fri Sat Sun
        1 2 3
4 5 6 7 8 9 10
11 12 13 14 15 16 17
18 19 20 21 22 23 24
25 26 27 28 29 30 31
Archives
August 2008
July 2008
June 2008
Recent...
Older...
Categories

All categories
Syndicate This Blog
Protected By

Hardening-Patch for PHP