From: sird at rckc dot at Operating system: * PHP version: 5.2.11 PHP Bug Type: *Unicode Issues Bug description: utf8_decode xml_utf8_decode vuln
Description: ------------ Taken from: http://bugs.php.net/bug.php?id=48230 > > Description: > ------------ > xml_utf8_decode function incorrectly decode. > > Reproduce code: > --------------- > <?php > $ill=chr(0xf0).chr(0xc0).chr(0xc0).chr(0xa7); > $ill=addslashes($ill); > echo utf8_decode("$ill"); > echo htmlspecialchars ($ill,ENT_QUOTES,"utf-8" ); > ?> > > Expected result: > ---------------- > it will output a "'" incorrectly. > > Actual result: > -------------- > it will output a "'" incorrectly. This is actually a PHP security vulnerability. Timeline: * Reported by [email protected]: May 11 * Discovered by [email protected]: June 19 * Discovered by Giorgio Maone / Eduardo Vela: July 14 * Reported and Fixed on PHPIDS: July 14 * Microsoft notified of a XSS Filter bypass: July 14 * Fixed XSS Filter bypass on NoScript 1.9.6: July 20 * Vulnerability disclosed on BlackHat USA 2009: July 29 * Added signature to Acunetix WVS: August 14 References: * http://www.blackhat.com/presentations/bh-usa-09/VELANAVA/BHUSA09-VelaNava-FavoriteXSS-SLIDES.pdf * http://www.acunetix.com/blog/web-security-articles/security-risks-associated-with-utf8_decode/ * http://us2.php.net/manual/en/function.utf8-decode.php#83935 * http://bugs.php.net/bug.php?id=48230 * http://noscript.net/changelog Read the references for further details. Reproduce code: --------------- <?php echo utf8_decode(addslashes("\xf0\xc0\xc0\xa7 or 1=1-- -")); // more code in references, check the slides and the acunetix blog ?> Expected result: ---------------- ? or 1=1-- - Actual result: -------------- ' or 1=1-- -- Edit bug report at http://bugs.php.net/?id=49687&edit=1 -- Try a snapshot (PHP 5.2): http://bugs.php.net/fix.php?id=49687&r=trysnapshot52 Try a snapshot (PHP 5.3): http://bugs.php.net/fix.php?id=49687&r=trysnapshot53 Try a snapshot (PHP 6.0): http://bugs.php.net/fix.php?id=49687&r=trysnapshot60 Fixed in SVN: http://bugs.php.net/fix.php?id=49687&r=fixed Fixed in SVN and need be documented: http://bugs.php.net/fix.php?id=49687&r=needdocs Fixed in release: http://bugs.php.net/fix.php?id=49687&r=alreadyfixed Need backtrace: http://bugs.php.net/fix.php?id=49687&r=needtrace Need Reproduce Script: http://bugs.php.net/fix.php?id=49687&r=needscript Try newer version: http://bugs.php.net/fix.php?id=49687&r=oldversion Not developer issue: http://bugs.php.net/fix.php?id=49687&r=support Expected behavior: http://bugs.php.net/fix.php?id=49687&r=notwrong Not enough info: http://bugs.php.net/fix.php?id=49687&r=notenoughinfo Submitted twice: http://bugs.php.net/fix.php?id=49687&r=submittedtwice register_globals: http://bugs.php.net/fix.php?id=49687&r=globals PHP 4 support discontinued: http://bugs.php.net/fix.php?id=49687&r=php4 Daylight Savings: http://bugs.php.net/fix.php?id=49687&r=dst IIS Stability: http://bugs.php.net/fix.php?id=49687&r=isapi Install GNU Sed: http://bugs.php.net/fix.php?id=49687&r=gnused Floating point limitations: http://bugs.php.net/fix.php?id=49687&r=float No Zend Extensions: http://bugs.php.net/fix.php?id=49687&r=nozend MySQL Configuration Error: http://bugs.php.net/fix.php?id=49687&r=mysqlcfg
