6.8

CVE-2010-3870

Exploit
The utf8_decode function in PHP before 5.3.4 does not properly handle non-shortest form UTF-8 encoding and ill-formed subsequences in UTF-8 data, which makes it easier for remote attackers to bypass cross-site scripting (XSS) and SQL injection protection mechanisms via a crafted string.
Daten sind bereitgestellt durch National Vulnerability Database (NVD)
PhpPhp Version < 5.2.14
PhpPhp Version >= 5.3.0 < 5.3.4
CanonicalUbuntu Linux Version6.06
CanonicalUbuntu Linux Version8.04 SwEdition-
CanonicalUbuntu Linux Version9.10
CanonicalUbuntu Linux Version10.04 SwEdition-
CanonicalUbuntu Linux Version10.10
Zu dieser CVE wurde keine Warnung gefunden.
EPSS Metriken
Typ Quelle Score Percentile
EPSS FIRST.org 11.28% 0.954
CVSS Metriken
Quelle Base Score Exploit Score Impact Score Vector String
nvd@nist.gov 6.8 8.6 6.4
AV:N/AC:M/Au:N/C:P/I:P/A:P
CWE-20 Improper Input Validation

The product receives input or data, but it does not validate or incorrectly validates that the input has the properties that are required to process the data safely and correctly.

http://www.php.net/ChangeLog-5.php
Vendor Advisory
http://secunia.com/advisories/42410
Third Party Advisory
http://www.redhat.com/support/errata/RHSA-2010-0919.html
Third Party Advisory
http://www.vupen.com/english/advisories/2010/3081
Third Party Advisory
http://marc.info/?l=bugtraq&m=133469208622507&w=2
Third Party Advisory
Mailing List
http://lists.opensuse.org/opensuse-security-announce/2010-12/msg00000.html
Third Party Advisory
Mailing List
http://lists.apple.com/archives/security-announce/2011/Mar/msg00006.html
Third Party Advisory
Mailing List
http://support.apple.com/kb/HT4581
Third Party Advisory
http://lists.fedoraproject.org/pipermail/package-announce/2011-January/052836.html
Third Party Advisory
Mailing List
http://lists.fedoraproject.org/pipermail/package-announce/2011-January/052845.html
Third Party Advisory
Mailing List
http://secunia.com/advisories/42812
Third Party Advisory
http://www.ubuntu.com/usn/USN-1042-1
Third Party Advisory
http://www.vupen.com/english/advisories/2011/0020
Third Party Advisory
http://www.vupen.com/english/advisories/2011/0021
Third Party Advisory
http://www.vupen.com/english/advisories/2011/0077
Third Party Advisory
http://www.redhat.com/support/errata/RHSA-2011-0195.html
Third Party Advisory
http://bugs.php.net/bug.php?id=48230
Vendor Advisory
Exploit
http://bugs.php.net/bug.php?id=49687
Vendor Advisory
Exploit
http://sirdarckcat.blogspot.com/2009/10/couple-of-unicode-issues-on-php-and.html
Third Party Advisory
Exploit
http://svn.php.net/viewvc?view=revision&revision=304959
Patch
Vendor Advisory
http://us2.php.net/manual/en/function.utf8-decode.php#83935
Vendor Advisory
Exploit
http://www.acunetix.com/blog/web-security-articles/security-risks-associated-with-utf8_decode/
Third Party Advisory
Exploit
http://www.blackhat.com/presentations/bh-usa-09/VELANAVA/BHUSA09-VelaNava-FavoriteXSS-SLIDES.pdf
Third Party Advisory
Exploit
http://www.mandriva.com/en/security/advisories?name=MDVSA-2010:224
Third Party Advisory
http://www.openwall.com/lists/oss-security/2010/11/02/1
Third Party Advisory
Mailing List
http://www.openwall.com/lists/oss-security/2010/11/02/11
Third Party Advisory
Mailing List
http://www.openwall.com/lists/oss-security/2010/11/02/2
Third Party Advisory
Mailing List
http://www.openwall.com/lists/oss-security/2010/11/02/4
Third Party Advisory
Mailing List
http://www.openwall.com/lists/oss-security/2010/11/02/6
Third Party Advisory
Mailing List
http://www.openwall.com/lists/oss-security/2010/11/02/8
Third Party Advisory
Mailing List
http://www.openwall.com/lists/oss-security/2010/11/03/1
Third Party Advisory
Mailing List
http://www.securityfocus.com/bid/44605
Third Party Advisory
VDB Entry
http://www.securitytracker.com/id?1024797
Third Party Advisory
VDB Entry