Source:80sec
Vulnerability Description: php is a widely used programming language that can be nested in html for web development. However, some encoding functions used in php may produce incorrect results when processing malformed utf8 sequences, which may cause application security vulnerabilities in some cases, attackers can bypass some logic filters.
Cause of vulnerability: php does not properly handle the malformed sequence during utf8 encoding, as shown in figure
...0xc0a70xe0c0a70xf0c0c0a7...Are mistakenly decoded into a 0 × 27, which leads to the emergence of security vulnerabilities. For example, the source code of the utf8_decode function is as follows:PHPAPI char *xml_utf8_decode(const XML_Char *s, int len, int *newlen, const XML_Char *encoding){int pos = len;char *newbuf = emalloc(len + 1);unsigned short c;char (*decoder)(unsigned short) = NULL;xml_encoding *enc = xml_get_encoding(encoding);*newlen = 0;if (enc) {decoder = enc->decoding_function;}if (decoder == NULL) {/* If the target encoding was unknown, or no decoder function* was specified, return the UTF-8-encoded data as-is.*/memcpy(newbuf, s, len);*newlen = len;newbuf[*newlen] = ‘′;return newbuf;}while (pos > 0) {c = (unsigned char)(*s);if (c >= 0xf0) { /* four bytes encoded, 21 bits */c = ((s[0]&7)<<18) | ((s[1]&63)<<12) | ((s[2]&63)<<6) | (s[3]&63);s += 4;pos -= 4;} else if (c >= 0xe0) { /* three bytes encoded, 16 bits */c = ((s[0]&63)<<12) | ((s[1]&63)<<6) | (s[2]&63);s += 3;pos -= 3;} else if (c >= 0xc0) { /* two bytes encoded, 11 bits */c = ((s[0]&63)<<6) | (s[1]&63);s += 2;pos -= 2;} else {s++;pos–;}newbuf[*newlen] = decoder ? decoder(c) : c;++*newlen;}if (*newlen < len) {newbuf = erealloc(newbuf, *newlen + 1);}newbuf[*newlen] = ‘′;return newbuf;}Xml_utf8_decode function is widely used in xml and wddx encoding. When utf8 encoding is processed, it does not strictly follow the UTF-8 decoding rules to verify the correctness of the data, leading to problems. In addition, there are similar problems when utf8 encoding is processed in php htmlspecialchars and other functions.
Vulnerability Testing:
<?php$ill=chr(0xf0).chr(0xc0).chr(0xc0).chr(0xa7);$ill=addslashes($ill);echo utf8_decode("$ill");echo htmlspecialchars ($ill,ENT_QUOTES,"utf-8" );?>Vulnerability impact: All php versions may be affected.
Vulnerability status: php has been notified
Start building with 50+ products and up to 12 months usage for Elastic Compute Service
1 on 1 presale consultation
24/7 Technical Support 6 Free Tickets per Quarter Faster Response
Alibaba Cloud offers highly flexible support services tailored to meet your exact needs.
A comprehensive suite of global cloud computing services to power your business
Payment Methods We Support
