what you don't know can hurt you
Home Files News &[SERVICES_TAB]About Contact Add New

Hardened-PHP Project Security Advisory 2006-13.138

Hardened-PHP Project Security Advisory 2006-13.138
Posted Nov 6, 2006
Authored by Stefan Esser, Hardened-PHP Project | Site hardened-php.net

Hardened-PHP Project Security Advisory - PHP 5 versions 5.1.6 and below and PHP 4 versions 4.4.4 and below suffer from buffer overflows in htmlentities() and htmlspecialchars() which may allow for remote code execution.

tags | advisory, remote, overflow, php, code execution
SHA-256 | dd4e3c70ff80ad927aae14623932b488a0e87be06018a88e926d95737511aa1d

Hardened-PHP Project Security Advisory 2006-13.138

Change Mirror Download
Hash: SHA1

Hardened-PHP Project

-= Security Advisory =-

Advisory: PHP HTML Entity Encoder Heap Overflow Vulnerability
Release Date: 2006/11/03
Last Modified: 2006/11/03
Author: Stefan Esser [sesser@hardened-php.net]

Application: PHP 5 <= 5.1.6, PHP 4 <= 4.4.4
Severity: Bufferoverflows in htmlentities() and
htmlspecialchars() may result in arbitrary
remote code execution
Risk: Critical
Vendor Status: Vendor has released PHP 5.2.0 which fixes this issue
References: http://www.hardened-php.net/advisory_132006.138.html


Quote from http://www.php.net
"PHP is a widely-used general-purpose scripting language that
is especially suited for Web development and can be embedded
into HTML."

While we were searching for a hole in htmlspecialchars() and
htmlentities() to bypass the encoding of certain chars to exploit
a possible eval() injection hole in another application we
discovered that the implementation contains a possible
bufferoverflow that can be triggered when the UTF-8 charset
is selected.

Unfortunately the whole purpose of both functions is to prepare
userinput for HTML output. Therefore they are used in most PHP
applications as protection against XSS and are always exposed
to userinput.

By triggering the overflow it is possible to overwrite heap
management structures with a limited charset. This can result in
remote code execution. Exploitability has been proven against
for example Linux with glibc 2.3 in a test environment. It
depends on the heap layout, the OS heap implementation and the
used Zend Memory Manager.


The HTML entity encoder of PHP will increase the size of it's
output buffer every time it reaches the end of the current buffer.
Unfortunately the check assumes that the maximum length of an
HTML entity is 8 chars, which is true for most entities. However
especially the Greek character set contains entities that are
longer than 8 chars. Because of this it is for example possible
to trigger the overflow by embedding Greek theta UTF-8 characters
into the input string.

Because the longest HTML entity currently supported is 10 bytes
long this allows overflowing the buffer with the 2 bytes ';' and
'\0'. When exploiting heap overflows it can be enough to just
overwrite the appending memory structure with a single '\0' char
and control the content of the following memory block to execute
arbitrary code.

While the above Greek character exploit is only possible in the
htmlentities() function it is also possible to overwrite with up
to 7 chars by embedding broken UTF-8 characters into the string.
The characters may come from the limited charset 0x00, 0xc0-0xfd.

On Linux glibc systems this is for example enough to trick realloc
into believing that the next memory block is empty and long enough
to store the additional 128 bytes. The position of the buffer is
therefore not changed and following writes to the output buffer
will overwrite the Zend Memory Manager structure of the following
block. This allows the typical linked list unlink exploit against
the Zend Memory Manager.

Proof of Concept:

The Hardened-PHP Project is not going to release a proof of concept
exploit for this vulnerability.

Disclosure Timeline:

31. October 2006 - Notified security@php.net, patch in CVS
01. November 2006 - Notified vendor-sec
03. November 2006 - PHP developers released PHP 5.2.0
03. November 2006 - Public Disclosure


For PHP 4 users it is strongly recommended to patch their version of
PHP with the following patch until php.net is providing PHP4 updates.


As usual we very strongly recommend that you install Suhosin-Patch
and the Suhosin Extension, because once again this advisory proved
that remotely triggerable overflows in PHP still exist. It is
therefore highly recommended by us to use Suhosin-Patch. It's
canary protection will detect overflows and stop execution to
make exploitation very hard or impossible.

FreeBSD and OpenBSD's PHP ports already come with Suhosin-Patch
activated by default.

Grab your copy and more information at:


CVE Information:

The Common Vulnerabilities and Exposures project (cve.mitre.org) has
assigned the name CVE-2006-5465 to this vulnerability.



pub 1024D/0A864AA1 2004-04-17 Hardened-PHP Signature Key
Key fingerprint = 066F A6D0 E57E 9936 9082 7E52 4439 14CC 0A86 4AA1

Copyright 2006 Stefan Esser. All rights reserved.

Version: GnuPG v1.4.3 (GNU/Linux)


Login or Register to add favorites

File Archive:

February 2024

  • Su
  • Mo
  • Tu
  • We
  • Th
  • Fr
  • Sa
  • 1
    Feb 1st
    16 Files
  • 2
    Feb 2nd
    19 Files
  • 3
    Feb 3rd
    0 Files
  • 4
    Feb 4th
    0 Files
  • 5
    Feb 5th
    24 Files
  • 6
    Feb 6th
    2 Files
  • 7
    Feb 7th
    10 Files
  • 8
    Feb 8th
    25 Files
  • 9
    Feb 9th
    37 Files
  • 10
    Feb 10th
    0 Files
  • 11
    Feb 11th
    0 Files
  • 12
    Feb 12th
    17 Files
  • 13
    Feb 13th
    20 Files
  • 14
    Feb 14th
    25 Files
  • 15
    Feb 15th
    15 Files
  • 16
    Feb 16th
    6 Files
  • 17
    Feb 17th
    0 Files
  • 18
    Feb 18th
    0 Files
  • 19
    Feb 19th
    35 Files
  • 20
    Feb 20th
    25 Files
  • 21
    Feb 21st
    18 Files
  • 22
    Feb 22nd
    0 Files
  • 23
    Feb 23rd
    0 Files
  • 24
    Feb 24th
    0 Files
  • 25
    Feb 25th
    0 Files
  • 26
    Feb 26th
    0 Files
  • 27
    Feb 27th
    0 Files
  • 28
    Feb 28th
    0 Files
  • 29
    Feb 29th
    0 Files

Top Authors In Last 30 Days

File Tags


packet storm

© 2022 Packet Storm. All rights reserved.

Security Services
Hosting By