id,summary,reporter,owner,description,type,status,priority,milestone,component,version,severity,resolution,keywords,cc
427,Workaround for PHP HTML Entity Encoder Heap Overflow Vulnerability,JavaWoman,JavaWoman,"In November 2006, a ""'''highly critical'''"" (Secunia, see {{{[3]}}}) vulnerability in PHP's handling of '''htmlentities()''' and '''htmlspecialchars()''' was announced (see refs) and fixed by PHP in release 5.2; the [http://www.php.net/releases/5_2_0.php release announcement for PHP 5.2] makes mention of this fix. However, version 4.4.x was vulnerable as well, and although version 4.4.5 has been released since, its [http://www.php.net/releases/4_4_5.php release announcement] makes no mention of any fix for this vulnerability. Ref {{{[4]}}} does mention an unofficial patch available from http://cvs.php.net/. [[BR]]
Many hosters do not even provide version 5.x, and quite a number of them are not particularly quick at upgrading PHP versions, let alone applying unofficial patches. Only installations running on FreeBSD or OpenBSD have a degree of protection ({{{[4]}}}) but it can be safely assumed that is a minority.

The conclusion must be that many of our users' installations will be vulnerable, including practically all running PHP 4.x.

Looking at the details in the Hardened-PHP description ({{{[4]}}}), it seems possible to provide at least a degree of protection by creating a wrapper around the PHP functions that first ""manually"" replaces the characters leading to a possible buffer overflow. Since it seems all versions below 5.2 currently must be assumed to be vulnerable (the unofficial 4.4.x patch can't be detected), we can simply use a version_compare() against 5.2 to decide whether to do this ""manual"" replacement.

Such a workaround may not be 100% reliable (no guarantees!) but could at least give a degree of protection for our users' installations.


References:[[BR]]
{{{[1]}}} http://www.ubuntu.com/usn/usn-375-1 [[BR]]
{{{[2]}}} http://www.securityfocus.com/bid/20879/info [[BR]]
{{{[3]}}} http://secunia.com/advisories/22653/ [[BR]]
{{{[4]}}} http://www.hardened-php.net/advisory_132006.138.html",enhancement,closed,high,1.1.6.3,unspecified,1.1.6.2,critical,fixed,,