PHP htmlspecialchars Function Buffer Overflow

March 1, 2012

PHP is a general-purpose server-side scripting language originally designed for Web development to produce dynamic Web pages. It is among one of the first developed server-side scripting languages to be embedded into an HTML source document, rather than calling an external file to process data. PHP can be deployed on most Web servers and also as a standalone shell on almost every operating system and platform free of charge.

PHP has hundreds of base functions and thousands more via extensions. They include the conversion functions between plain text data and its corresponding HTML entities. For example, because the character '<' is used as the start of a tag in HTML, it is escaped as the HTML entity '<' in an HTML document. The PHP function htmlentities and htmlspecialchars replaces characters in a string that have HTML entities with their entities, and function htmlentities has the following function definition:

 string htmlentities ( string $string                     [, int $flags = ENT_COMPAT | ENT_HTML401                     [, string $encoding = 'UTF-8'                     [, bool $double_encode = true ]]] ) 

A heap buffer overflow exists in PHP. The use of the PHP functions htmlentities and htmlspecialchars cause a call to the underlying system function, which allocates the memory and copies the supplied data into the memory. Under a special condition, the destination buffer may be overrun by calling these PHP functions. A remote attacker can exploit this vulnerability in a web application that processes user input with the htmlentities or htmlspecialchars PHP function. A successful exploitation attempt may result in the execution of arbitrary code in the security context of the affected web application.

SonicWALL UTM team has researched this vulnerability and released the following IPS signature to detect/prevent the attacks addressing this issue:

  • 7453 PHP htmlspecialchars Function Buffer Overflow

This vulnerability is referred by the vendor as 60965.