MySQL utf8 4-byte truncation

Description
  • Manual confirmation is required for this alert.

    A character that is encoded in UTF-8 can technically be between one and four bytes in length. MySQL's utf8 charsets only support 3-byte characters. When you insert a string containing a 4-byte character into a utf8 column, the default MySQL behaviour is to truncate the rest of the string after (and including) the occurence of the 4-byte character.

    This behaviour can cause various security issues such as "WordPress < 4.1.2 Stored XSS vulnerability" discovered by Cedric Van Bockhaven (consult references for more information about this vulnerability).

    It was detected that your application is also truncating utf8 4-byte characters and therefore is potentially affected by this MySQL behaviour. Acunetix cannot fully determine if your application is vulnerable, it only confirmed that strings containing utf8 4-byte characters are truncated while strings containing utf8 3-byte characters are not truncated. This vulnerability must be investigated and confirmed manually.
Remediation
  • It's recommended to use MySQL's strict mode where possible. Where this is not possible, make sure your application is prepared to handle well utf8 4-byte character truncations.
References