ID: 49687 Updated by: [email protected] Reported By: sird at rckc dot at -Status: Open +Status: Feedback Bug Type: *Unicode Issues Operating System: * PHP Version: 5.2.11 New Comment:
Is this a bug in PHP or in scripts which do utf8_decode(addslashes()) instead of addslashes(utf8_decode())? What do you propose to solve this bug? Previous Comments: ------------------------------------------------------------------------ [2009-09-27 11:20:30] sird at rckc dot at Description: ------------ Taken from: http://bugs.php.net/bug.php?id=48230 > > Description: > ------------ > xml_utf8_decode function incorrectly decode. > > Reproduce code: > --------------- > <?php > $ill=chr(0xf0).chr(0xc0).chr(0xc0).chr(0xa7); > $ill=addslashes($ill); > echo utf8_decode("$ill"); > echo htmlspecialchars ($ill,ENT_QUOTES,"utf-8" ); > ?> > > Expected result: > ---------------- > it will output a "'" incorrectly. > > Actual result: > -------------- > it will output a "'" incorrectly. This is actually a PHP security vulnerability. Timeline: * Reported by [email protected]: May 11 * Discovered by [email protected]: June 19 * Discovered by Giorgio Maone / Eduardo Vela: July 14 * Reported and Fixed on PHPIDS: July 14 * Microsoft notified of a XSS Filter bypass: July 14 * Fixed XSS Filter bypass on NoScript 1.9.6: July 20 * Vulnerability disclosed on BlackHat USA 2009: July 29 * Added signature to Acunetix WVS: August 14 References: * http://www.blackhat.com/presentations/bh-usa-09/VELANAVA/BHUSA09-VelaNava-FavoriteXSS-SLIDES.pdf * http://www.acunetix.com/blog/web-security-articles/security-risks-associated-with-utf8_decode/ * http://us2.php.net/manual/en/function.utf8-decode.php#83935 * http://bugs.php.net/bug.php?id=48230 * http://noscript.net/changelog Read the references for further details. Reproduce code: --------------- <?php echo utf8_decode(addslashes("\xf0\xc0\xc0\xa7 or 1=1-- -")); // more code in references, check the slides and the acunetix blog ?> Expected result: ---------------- ? or 1=1-- - Actual result: -------------- ' or 1=1-- ------------------------------------------------------------------------ -- Edit this bug report at http://bugs.php.net/?id=49687&edit=1
