MySQL utf8 4-byte truncation

Description

Manual confirmation is required for this alert.

A character that is encoded in UTF-8 can technically be between one and four bytes in length. MySQL's utf8 charsets only support 3-byte characters. When you insert a string containing a 4-byte character into a utf8 column, the default MySQL behaviour is to truncate the rest of the string after (and including) the occurence of the 4-byte character.

This behaviour can cause various security issues such as "WordPress < 4.1.2 Stored XSS vulnerability" discovered by Cedric Van Bockhaven (consult references for more information about this vulnerability).

It was detected that your application is also truncating utf8 4-byte characters and therefore is potentially affected by this MySQL behaviour. Acunetix WVS cannot fully determine if your application is vulnerable, it only confirmed that strings containing utf8 4-byte characters are truncated while strings containing utf8 3-byte characters are not truncated. This vulnerability must be investigated and confirmed manually.

Remediation

It's recommended to use MySQL's strict mode where possible. Where this is not possible, make sure your application is prepared to handle well utf8 4-byte character truncations.

References
Severity
Classification
Tags
  • Configuration