Heap-based Buffer Overflow In 'mbstring' Extension For PHP Network Vulnerability

Summary

The host is running PHP and is prone to Buffer Overflow vulnerability.

Impact

Successful exploitation could allow attackers to execute arbitrary code via a crafted string containing an HTML entity. Impact Level: Application

Solution

Upgrade to version 5.2.7 or later, http://www.php.net/downloads.php

Insight

The flaw is due to error in mbfilter_htmlent.c file in the mbstring extension. These can be exploited via mb_convert_encoding, mb_check_encoding, mb_convert_variables, and mb_parse_str functions.

Affected

PHP version 4.3.0 to 5.2.6 on all running platform.

References

http://archives.neohapsis.com/archives/fulldisclosure/2008-12/0477.html
http://bugs.php.net/bug.php?id=45722

Updated on 2015-03-25

Severity

Classification

CVE CVE-2008-5557

CVSS	Base Score: 10.0 AV:N/AC:L/Au:N/C:C/I:C/A:C

Related Vulnerabilities

Cscope putstring Multiple Buffer Overflow vulnerability
Avaya WinPDM Multiple Buffer Overflow Vulnerabilities
Adobe Flash Professional JPG Object Processing BOF Vulnerability (Windows)
BaoFeng Storm '.smpl' File Buffer Overflow Vulnerability
Apple iTunes 'itms:' URI Stack Buffer Overflow Vulnerability

Heap-based buffer overflow in 'mbstring' extension for PHP

Take action and discover your vulnerabilities