PHP htmlspecialchars Function Buffer Overflow (Mar 1, 2012)

By

PHP is a general-purpose server-side scripting language originally designed for Web development to produce dynamic Web pages. It is among one of the first developed server-side scripting languages to be embedded into an HTML source document, rather than calling an external file to process data. PHP can be deployed on most Web servers and also as a standalone shell on almost every operating system and platform free of charge.

PHP has hundreds of base functions and thousands more via extensions. They include the conversion functions between plain text data and its corresponding HTML entities. For example, because the character ‘<' is used as the start of a tag in HTML, it is escaped as the HTML entity '<' in an HTML document. The PHP function htmlentities and htmlspecialchars replaces characters in a string that have HTML entities with their entities, and function htmlentities has the following function definition:

 string htmlentities ( string $string                     [, int $flags = ENT_COMPAT | ENT_HTML401                     [, string $encoding = 'UTF-8'                     [, bool $double_encode = true ]]] ) 

A heap buffer overflow exists in PHP. The use of the PHP functions htmlentities and htmlspecialchars cause a call to the underlying system function, which allocates the memory and copies the supplied data into the memory. Under a special condition, the destination buffer may be overrun by calling these PHP functions. A remote attacker can exploit this vulnerability in a web application that processes user input with the htmlentities or htmlspecialchars PHP function. A successful exploitation attempt may result in the execution of arbitrary code in the security context of the affected web application.

SonicWALL UTM team has researched this vulnerability and released the following IPS signature to detect/prevent the attacks addressing this issue:

  • 7453 PHP htmlspecialchars Function Buffer Overflow

This vulnerability is referred by the vendor as 60965.

Security News
The SonicWall Capture Labs Threat Research Team gathers, analyzes and vets cross-vector threat information from the SonicWall Capture Threat network, consisting of global devices and resources, including more than 1 million security sensors in nearly 200 countries and territories. The research team identifies, analyzes, and mitigates critical vulnerabilities and malware daily through in-depth research, which drives protection for all SonicWall customers. In addition to safeguarding networks globally, the research team supports the larger threat intelligence community by releasing weekly deep technical analyses of the most critical threats to small businesses, providing critical knowledge that defenders need to protect their networks.