HTML-Parser 'decode_entities()' Denial Of Service Vulnerability Network Vulnerability

Summary

This host is installed with HTML-Parser and is prone to Denial of Service Vulnerability.

Impact

Successful exploitation could result in Denial of Serivce condition. Impact Level: Application.

Solution

Upgrade to HTML-Parser version 3.63 or later http://search.cpan.org/CPAN/authors/id/G/GA/GAAS/HTML-Parser-3.63.tar.gz (or) Apply the patch, http://github.com/gisle/html-parser/commit/b9aae1e43eb2c8e989510187cff0ba3e996f9a4c ***** NOTE: Please ignore this warning if the patch is already applied. *****

Insight

The flaw is due to an error within the 'decode_entities()' function in 'utils.c', which can be exploited to cause an infinite loop by tricking an application into processing a specially crafted string using this library.

Affected

HTML-Parser versions prior to 3.63 on Linux.

References

http://secunia.com/advisories/37155
http://www.openwall.com/lists/oss-security/2009/10/23/9
http://xforce.iss.net/xforce/xfdb/53941
https://issues.apache.org/SpamAssassin/show_bug.cgi?id=6225

Updated on 2015-03-25

Severity

Classification

CVE CVE-2009-3627

CVSS	Base Score: 4.3 AV:N/AC:M/Au:N/C:N/I:N/A:P

Related Vulnerabilities

Apple Safari URI NULL Pointer Dereference DoS Vulnerability (Win)
ClamAV LZH File Unpacking Denial of Service Vulnerability (Linux)
Baidu Spark Browser Denial of Service Vulnerability -01 August14 (Windows)
ClamAV Recursion Level Handling Denial of Service Vulnerability (Windows)
Apache APR-util 'buckets/apr_brigade.c' Denial Of Service Vulnerability

HTML-Parser 'decode_entities()' Denial of Service Vulnerability

Take action and discover your vulnerabilities