Ticket #427 (closed enhancement: fixed)
Workaround for PHP HTML Entity Encoder Heap Overflow Vulnerability
|Reported by:||JavaWoman||Owned by:||JavaWoman|
Description (last modified by NilsLindenberg) (diff)
In November 2006, a "highly critical" (Secunia, see ) vulnerability in PHP's handling of htmlentities() and htmlspecialchars() was announced (see refs) and fixed by PHP in release 5.2; the release announcement for PHP 5.2 makes mention of this fix. However, version 4.4.x was vulnerable as well, and although version 4.4.5 has been released since, its release announcement makes no mention of any fix for this vulnerability. Ref  does mention an unofficial patch available from http://cvs.php.net/.
Many hosters do not even provide version 5.x, and quite a number of them are not particularly quick at upgrading PHP versions, let alone applying unofficial patches. Only installations running on FreeBSD or OpenBSD have a degree of protection () but it can be safely assumed that is a minority.
The conclusion must be that many of our users' installations will be vulnerable, including practically all running PHP 4.x.
Looking at the details in the Hardened-PHP description (), it seems possible to provide at least a degree of protection by creating a wrapper around the PHP functions that first "manually" replaces the characters leading to a possible buffer overflow. Since it seems all versions below 5.2 currently must be assumed to be vulnerable (the unofficial 4.4.x patch can't be detected), we can simply use a version_compare() against 5.2 to decide whether to do this "manual" replacement.
Such a workaround may not be 100% reliable (no guarantees!) but could at least give a degree of protection for our users' installations.