Description

This alert was generated using only banner information. It may be a false positive.

Stefan Esser reported some vulnerabilities in PHP, which can be exploited by malicious people to cause a DoS (Denial of Service) or potentially compromise a vulnerable system.The vulnerabilities are caused due to boundary errors within the "htmlentities()" and "htmlspecialchars()" functions. If a PHP application uses these functions to process user-supplied input, this can be exploited to cause a heap-based buffer overflow by passing specially crafted data to the affected application. Successful exploitation may allow execution of arbitrary code, but requires that the UTF-8 character set is selected. For a detailed explanation of the vulnerability read the referenced article.
Vendor has released PHP 5.2.0 which fixes this issue.

Affected PHP versions (up to 4.4.4/5.1.6).

Remediation

Upgrade PHP to the latest version.

References

PHP HTML Entity Encoder Heap Overflow Vulnerability

PHP Homepage

Related Vulnerabilities

WordPress Plugin Gmedia Photo Gallery Arbitrary File Upload (1.2.1)

Joomla! Core 3.x.x Multiple Cross-Site Scripting Vulnerabilities (3.0.0 - 3.8.7)

WordPress Plugin Verification Code for Comments Multiple Cross-Site Scripting Vulnerabilities (2.1.0)

WordPress Plugin WooCommerce Stock Manager Cross-Site Request Forgery (2.5.7)

WordPress Plugin Buzzwords Cross-Site Scripting (1.1.0)

Severity

High

Classification

CVE-2006-5465 CWE-119 CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:L/I:L/A:L

Tags

Denial Of Service Missing Update