Cenzic 232 Patent
Paid Advertising
sla.ckers.org is
ha.ckers sla.cking
Sla.ckers.org
If you have some interesting news or want to throw up a link to discuss it, here's the place. Anything is okay, even shameless vendor launches (since that is often applicable to what we work on). 
Go to Topic: PreviousNext
Go to: Forum ListMessage ListNew TopicSearchLog In
PHP htmlentities/htmlspecialchars buffer overflow
Posted by: lpilorz
Date: November 03, 2006 02:01AM

http://secunia.com/advisories/22653/

It's a conspiracy! All the people who told us to use htmlspecialchars agains XSS are involved! ;)

Options: ReplyQuote
Re: PHP htmlentities/htmlspecialchars buffer overflow
Posted by: jungsonn
Date: November 03, 2006 03:03AM

lol

I rarely use htmlentities, mostly i use escapshellcmd() for strings 'cause it escapes: ~#&;`'"|*?<>^{}()[]$\, \x0A ~ \xFF the function is not intended for this, but it works like a charm.

Options: ReplyQuote
Re: PHP htmlentities/htmlspecialchars buffer overflow
Posted by: WhiteAcid
Date: November 03, 2006 05:31AM

My 5 stages of grief.
Denial - I can't be vulnerable to this.
Anger - Why the fuck did someone fuck up?
Bargaining - God, please make no one use this on me and I'll uhm... stop searching for granny porn.
Depression - .... I hate PHP
Acceptance - Things like this happens, I just need to upgrade.

Reading the link - Hell I never use UTF8 anyway, I'm not vulnerable
10 minutes later - Downloading PHP 5.2.0.... Patched (on my localhost, the only place I have control)

Don't forget our IRC: irc://irc.irchighway.net/#slackers
-WhiteAcid - your friendly, very lazy, web developer

Options: ReplyQuote
Re: PHP htmlentities/htmlspecialchars buffer overflow
Posted by: rsnake
Date: November 03, 2006 11:13AM

Yup, probably time to upgrade... you can never be too sure.

- RSnake
Gotta love it. http://ha.ckers.org

Options: ReplyQuote
Re: PHP htmlentities/htmlspecialchars buffer overflow
Date: November 03, 2006 10:04PM

All I have to say is HOLY CRAP!

Reading the description at http://www.hardened-php.net/advisory_132006.138.html , I fail to see how this applies to htmlspecialchars(): why would we be doing entity encoding for non-ASCII characters anyway?

Once again, another reason to use iconv() to check whether or not the string is well formed in the input character set before passing it along to htmlspecialchars() / htmlentities().

Options: ReplyQuote
Re: PHP htmlentities/htmlspecialchars buffer overflow
Posted by: ionic
Date: November 10, 2006 03:07PM

htmlspecialchars("...MAGICSTRING...\xfx\xfd\xfd........", ENT_QUOTES, "utf-8");

Options: ReplyQuote
Re: PHP htmlentities/htmlspecialchars buffer overflow
Posted by: jungsonn
Date: November 10, 2006 05:55PM

Many PHP function have/had this issue, it's always a good idea to check on the length of a given string before passing it into a resource function.

Options: ReplyQuote


Sorry, only registered users may post in this forum.