ID: 49687 User updated by: sird at rckc dot at Reported By: sird at rckc dot at -Status: Feedback +Status: Open Bug Type: *Unicode Issues Operating System: * PHP Version: 5.2.11 New Comment:
it is a PHP bug, the function is not decoding correctly, check the ppt and the acunetix blog for details. there are several bugs in the code, one of them is that a variable holding the value of the char is overflowed (trying to put 21 bits in a 16 bits int), also the code is not checking if it is a valid unicode char (reading unicode specification should explain it). the example r...@80sec gave you was an overlong utf representation of a single quote. that is forbidden by unicode, and should transform the char to ?. also, the code is not checking if the chars are valid UTF, so stuff like: <img alt="\x90" title=" src=x:x onerror=alert(1)//"> are going to be transformed to <img alt="? title=" src=x:x onerror=alert(1)//"> this is a very serious vulnerability and there are several bugs in the same function (there's even unreachable code). you can check the implementation of utf by Mozilla or Webkit, they do it right. dont use java as a reference since they are also flawed. due to the fact that PHP is for web applications and utf is widely used, and it allows an attacker to do all type of attacks (from sql injection to xss) its imperative to fix that function. Greetings!! Previous Comments: ------------------------------------------------------------------------ [2009-09-28 19:38:24] sjo...@php.net Is this a bug in PHP or in scripts which do utf8_decode(addslashes()) instead of addslashes(utf8_decode())? What do you propose to solve this bug? ------------------------------------------------------------------------ [2009-09-27 11:20:30] sird at rckc dot at Description: ------------ Taken from: http://bugs.php.net/bug.php?id=48230 > > Description: > ------------ > xml_utf8_decode function incorrectly decode. > > Reproduce code: > --------------- > <?php > $ill=chr(0xf0).chr(0xc0).chr(0xc0).chr(0xa7); > $ill=addslashes($ill); > echo utf8_decode("$ill"); > echo htmlspecialchars ($ill,ENT_QUOTES,"utf-8" ); > ?> > > Expected result: > ---------------- > it will output a "'" incorrectly. > > Actual result: > -------------- > it will output a "'" incorrectly. This is actually a PHP security vulnerability. Timeline: * Reported by r...@80sec.com: May 11 * Discovered by webmas...@lapstore.de: June 19 * Discovered by Giorgio Maone / Eduardo Vela: July 14 * Reported and Fixed on PHPIDS: July 14 * Microsoft notified of a XSS Filter bypass: July 14 * Fixed XSS Filter bypass on NoScript 1.9.6: July 20 * Vulnerability disclosed on BlackHat USA 2009: July 29 * Added signature to Acunetix WVS: August 14 References: * http://www.blackhat.com/presentations/bh-usa-09/VELANAVA/BHUSA09-VelaNava-FavoriteXSS-SLIDES.pdf * http://www.acunetix.com/blog/web-security-articles/security-risks-associated-with-utf8_decode/ * http://us2.php.net/manual/en/function.utf8-decode.php#83935 * http://bugs.php.net/bug.php?id=48230 * http://noscript.net/changelog Read the references for further details. Reproduce code: --------------- <?php echo utf8_decode(addslashes("\xf0\xc0\xc0\xa7 or 1=1-- -")); // more code in references, check the slides and the acunetix blog ?> Expected result: ---------------- ? or 1=1-- - Actual result: -------------- ' or 1=1-- ------------------------------------------------------------------------ -- Edit this bug report at http://bugs.php.net/?id=49687&edit=1
