News Feed
Sections




News Archive
Looking for more information on how to do PHP the right way? Check out PHP: The Right Way

Hardened-PHP Project:
PHP HTML Entity Encoder Heap Overflow Vulnerability
November 03, 2006 @ 12:58:00

The Hardened-PHP Project has put out another advisory for the PHP distribution itself, versions 5.1.6/4.4.4 and below dealing with the HTML entity encoder heap.

While we were searching for a hole in htmlspecialchars() and htmlentities() to bypass the encoding of certain chars to exploit a possible eval() injection hole in another application we discovered that the implementation contains a possible bufferoverflow that can be triggered when the UTF-8 charset is selected.

The issue has been corrected in the latest PHP 5 release - version 5.2 - but is still present in the PHP 4.4 series (they have a recommended patch until the new version is posted). You can get complete information about this issue from the full vulnerability listing.

0 comments voice your opinion now!
html entity encoded heap overflow vulnerability download update html entity encoded heap overflow vulnerability download update


blog comments powered by Disqus

Similar Posts

PHPWomen.org: Bundled go-pear.phar broken in 5.2 windows releases

Wez Furlong's Blog: Identity/Authentication and PHP OpenSSL updates in the pipeline

Pierre-Alain Joye's Blog: Zip-1.7.5 works even with broken path

Ed Finkler's Blog: PHPSecInfo v0.2 now Available

Pierre-Alain Joye's Blog: Updates to htscanner and zip PECL pacakges


Community Events





Don't see your event here?
Let us know!


opinion configure unittest community series framework introduction testing language threedevsandamaybe laravel install release code interview podcast developer symfony2 list refactor

All content copyright, 2014 PHPDeveloper.org :: info@phpdeveloper.org - Powered by the Solar PHP Framework