Description

This alert was generated using only banner information. It may be a false positive.

Stefan Esser reported some vulnerabilities in PHP, which can be exploited by malicious people to cause a DoS (Denial of Service) or potentially compromise a vulnerable system.The vulnerabilities are caused due to boundary errors within the "htmlentities()" and "htmlspecialchars()" functions. If a PHP application uses these functions to process user-supplied input, this can be exploited to cause a heap-based buffer overflow by passing specially crafted data to the affected application. Successful exploitation may allow execution of arbitrary code, but requires that the UTF-8 character set is selected. For a detailed explanation of the vulnerability read the referenced article.
Vendor has released PHP 5.2.0 which fixes this issue.

Affected PHP versions (up to 4.4.4/5.1.6).

Remediation

Upgrade PHP to the latest version.

References

PHP HTML Entity Encoder Heap Overflow Vulnerability

PHP Homepage

Related Vulnerabilities

Python Concurrent Execution using Shared Resource with Improper Synchronization ('Race Condition') Vulnerability (CVE-2022-48566)

Joomla! Core 2.5.x Security Bypass (2.5.0 - 2.5.2)

WordPress Plugin Aoi Tori Cross-Site Scripting (1.1)

WordPress Plugin GiveWP-Donation and Fundraising Platform PHP Object Injection (2.3.0)

Apache Tomcat Unrestricted Upload of File with Dangerous Type Vulnerability (CVE-2017-12617)

Severity

High

Classification

CVE-2006-5465 CWE-119 CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:L/I:L/A:L CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:L/VI:L/VA:L/SC:N/SI:N/SA:N

Tags

Denial Of Service Missing Update Buffer Overflow