Description

This alert was generated using only banner information. It may be a false positive.

Stefan Esser reported some vulnerabilities in PHP, which can be exploited by malicious people to cause a DoS (Denial of Service) or potentially compromise a vulnerable system.The vulnerabilities are caused due to boundary errors within the "htmlentities()" and "htmlspecialchars()" functions. If a PHP application uses these functions to process user-supplied input, this can be exploited to cause a heap-based buffer overflow by passing specially crafted data to the affected application. Successful exploitation may allow execution of arbitrary code, but requires that the UTF-8 character set is selected. For a detailed explanation of the vulnerability read the referenced article.
Vendor has released PHP 5.2.0 which fixes this issue.

Affected PHP versions (up to 4.4.4/5.1.6).

Remediation

Upgrade PHP to the latest version.

References

PHP HTML Entity Encoder Heap Overflow Vulnerability

PHP Homepage

Related Vulnerabilities

Drupal Core Security Bypass (8.0.0 - 9.1.15)

FluxBB Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') Vulnerability (CVE-2020-35240)

Coppermine Exposure of Sensitive Information to an Unauthorized Actor Vulnerability (CVE-2011-3722)

phpMyFAQ Cross-Site Request Forgery (CSRF) Vulnerability (CVE-2017-15735)

WordPress Plugin SP Project & Document Manager Multiple Vulnerabilities (2.5.9.7)

Severity

High

Classification

CVE-2006-5465 CWE-119 CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:L/I:L/A:L CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:L/VI:L/VA:L/SC:N/SI:N/SA:N

Tags

Denial Of Service Missing Update Buffer Overflow