CVE-2010-3870

Description

The utf8_decode function in PHP before 5.3.4 does not properly handle non-shortest form UTF-8 encoding and ill-formed subsequences in UTF-8 data, which makes it easier for remote attackers to bypass cross-site scripting (XSS) and SQL injection protection mechanisms via a crafted string.

CVSS Metrics

• v2.0•MEDIUM•Score: 6.8AV:N/AC:M/Au:N/C:P/I:P/A:P

EPSS Trends

Current EPSS score: 0.62%• Percentile: 70%

Techniques & Countermeasures

• CWE-20•Improper Input Validation

  The product receives input or data, but it does not validate or incorrectly validates that the input has the properties that are required to process the data safely and correctly.

Affected Systems

• canonical•ubuntu_linux

  6.06 | 8.04 | 9.10 | 10.04 | 10.10

• Unknown•PHP

  < 5.2.14 | ≥ 5.3.0, < 5.3.4

References (33)

• http://www.openwall.com/lists/oss-security/2010/11/02/11
• http://www.vupen.com/english/advisories/2011/0077
• http://lists.fedoraproject.org/pipermail/package-announce/2011-January/052836.html
• http://secunia.com/advisories/42812
• http://marc.info/?l=bugtraq&m=133469208622507&w=2
• http://www.openwall.com/lists/oss-security/2010/11/02/2
• http://www.redhat.com/support/errata/RHSA-2011-0195.html
• http://www.openwall.com/lists/oss-security/2010/11/02/4
• http://www.securitytracker.com/id?1024797
• http://lists.opensuse.org/opensuse-security-announce/2010-12/msg00000.html
• http://bugs.php.net/bug.php?id=49687
• http://www.blackhat.com/presentations/bh-usa-09/VELANAVA/BHUSA09-VelaNava-FavoriteXSS-SLIDES.pdf
• http://lists.apple.com/archives/security-announce/2011/Mar/msg00006.html
• http://www.ubuntu.com/usn/USN-1042-1
• http://www.openwall.com/lists/oss-security/2010/11/02/6
• http://www.redhat.com/support/errata/RHSA-2010-0919.html
• http://bugs.php.net/bug.php?id=48230
• http://www.vupen.com/english/advisories/2011/0021
• http://www.php.net/ChangeLog-5.php
• http://sirdarckcat.blogspot.com/2009/10/couple-of-unicode-issues-on-php-and.html
• http://www.openwall.com/lists/oss-security/2010/11/02/1
• http://secunia.com/advisories/42410
• http://www.mandriva.com/en/security/advisories?name=MDVSA-2010:224
• http://lists.fedoraproject.org/pipermail/package-announce/2011-January/052845.html
• http://www.openwall.com/lists/oss-security/2010/11/03/1
• http://svn.php.net/viewvc?view=revision&revision=304959
• http://www.vupen.com/english/advisories/2011/0020
• http://www.openwall.com/lists/oss-security/2010/11/02/8
• http://www.securityfocus.com/bid/44605
• http://us2.php.net/manual/en/function.utf8-decode.php#83935
• http://www.acunetix.com/blog/web-security-articles/security-risks-associated-with-utf8_decode/
• http://www.vupen.com/english/advisories/2010/3081
• http://support.apple.com/kb/HT4581