CERT-MU Vulnerability Note VN-2008-16

‘mbstring’ Buffer Overflow and XSS vulnerabilities in PHP

Original Issue Date: January 13, 2009

Severity Rating: High

Systems Affected

• PHP version prior to 5.2.7

Overview

Multiple vulnerabilities have been reported in PHP which could allow attacker to execute arbitrary code and to take complete control of a vulnerable system.

Description

1. mbstring Buffer Overflow Vulnerability

A heap overflow vulnerability has been reported in the multibyte string extension(mbstring package) for PHP. The vulnerability is due to the improper bound checking by the mb_convert_encoding(), mb_check_encoding(), mb_convert_variables() and mb_parse_str() functions when converting strings with HTML entities into Unicode strings.

A remote attacker could exploit this vulnerability using a specially-crafted string containing an HTML entity to execute arbitrary code in the context of affected webserver or cause the affected application to crash.

2. Cross-site scripting (XSS) vulnerability A Cross-site scripting (XSS)

vulnerability has been reported in PHP 5.2.7 and earlier, when display_errors is enabled which allows remote attackers to inject arbitrary web script or HTML via unspecified vectors.

To workaround this vulnerability:

Set display_errors=off in php.ini configuration file.

Solution

Update to the latest version PHP 5.2.8
http://www.php.net/downloads.php

Disclaimer

The information provided herein is on "as is" basis, without warranty of any kind.

Vendor Information

PHP
http://bugs.php.net/bug.php?id=45722

CVE Name

CVE-2008-5557
CVE-2008-5814

References

PHP
http://bugs.php.net/bug.php?id=45722

SecurityFocus
http://www.securityfocus.com/bid/32948

SecurityTracker
http://securitytracker.com/id?1021482

ISS XFORCE
http://xforce.iss.net/xforce/xfdb/47525

Securi Team
http://www.securiteam.com/unixfocus/6X00P0ANFM.html

JVN
http://jvn.jp/en/jp/JVN50327700/index.html