Home    |    View Topics    |    Search    |    Contact Us    |   



Category:   Application (Generic)  >   PHP Vendors:   PHP Group
PHP Buffer Overflow in Multibyte String Extension May Let Users Execute Arbitrary Code
SecurityTracker Alert ID:  1021482
SecurityTracker URL:
CVE Reference:   CVE-2008-5557   (Links to External Site)
Date:  Dec 22 2008
Impact:   Execution of arbitrary code via local system, Execution of arbitrary code via network, User access via local system, User access via network
Fix Available:  Yes  Vendor Confirmed:  Yes  
Version(s): 4.3.0 - 5.2.6
Description:   A vulnerability was reported in PHP's multibyte string extension. A user can execute arbitrary code on the target system.

A user can send specially crafted data to trigger a heap overflow in mbstring and execute arbitrary code on the target system. The code will run with the privileges of the target service.

The code that decodes strings containing HTML entities into Unicode strings is affected ('mbfilter_htmlent.c').

The following functions are affected:


Other functions may be affected.

The vulnerability may be exploited by remote users in certain PHP configurations.

The vendor was notified on September 13, 2008.

Moriyoshi Koizumi reported this vulnerability.

Impact:   A user can execute arbitrary code on the target system.
Solution:   The vendor has issued a fix (5.2.8).

[Editor's note: The fix was included in 5.2.7, but version 5.2.7 should not be used because of an unrelated, previously reported vulnerability.]

The source code fix is available at:

Vendor URL: (Links to External Site)
Cause:   Boundary error
Underlying OS:  Linux (Any), UNIX (Any), Windows (Any)

Message History:   This archive entry has one or more follow-up message(s) listed below.
Apr 6 2009 (Red Hat Issues Fix) PHP Buffer Overflow in Multibyte String Extension May Let Users Execute Arbitrary Code
Red Hat has released a fix for Red Hat Enterprise Linux 3 and 4.
Apr 6 2009 (Red Hat Issues Fix) PHP Buffer Overflow in Multibyte String Extension May Let Users Execute Arbitrary Code
Red Hat has released a fix for Red Hat Enterprise Linux 5.
Apr 14 2009 (Red Hat Issues Fix) PHP Buffer Overflow in Multibyte String Extension May Let Users Execute Arbitrary Code
Red Hat has released a fix for Red Hat Application Stack v2.

 Source Message Contents

Subject:  [Full-disclosure] CVE-2008-5557 - PHP mbstring buffer overflow

Hash: SHA1

CVE-2008-5557 - PHP mbstring buffer overflow vulnerability

CVE Number: CVE-2008-5557
Author: Moriyoshi Koizumi <>
Release Date: 2008-12-21
Type: heap buffer overflow
Affected Versions: 4.3.0 and later versions including PHP 5
Not Affected: any version prior to 4.3.0
              or 5.2.7 and later versions including PHP 5.3 alpha 3

PHP [1] is a scripting language extensively used in web application
development.  The package contains a number of language extensions aside
the language core.

A heap buffer overflow was found in mbstring extension [2] that is
bundled in
the standard distribution.  mbstring extension provides a set of
functions for
the manipulation of multibyte / Unicode strings.

The vulnerability occurs in the part of the encoding conversion facility
decodes strings that contain HTML entities into Unicode strings.  Due to the
decoder's incorrect handling of error conditions, the bounds check for a
heap-allocated buffer is effectively bypassed.  An attacker can exploit this
vulnerability to transfer arbitrary data to a specific region of the heap if
he gains control over the input of the decoder.

Since mbstring functions make use of the facility in various places, almost
all of those can be considered vulnerable.  The functions listed below
be particularly noted according to their primary usage:

- - mb_convert_encoding()
- - mb_check_encoding()
- - mb_convert_variables()
- - mb_parse_str()

The following functions are supposed to be safe	in their nature.

- - mb_decode_numericentity() *
- - mb_detect_encoding()
- - mb_detect_order()
- - mb_ereg()
- - mb_ereg_match()
- - mb_ereg_replace()
- - mb_ereg_search()
- - mb_ereg_search_pos()
- - mb_ereg_search_regs()
- - mb_ereg_search_init()
- - mb_ereg_search_getregs()
- - mb_ereg_search_getpos()
- - mb_ereg_search_setpos()
- - mb_ereg_set_options()
- - mb_eregi()
- - mb_eregi_replace()
- - mb_get_info()
- - mb_http_input()
- - mb_http_output()
- - mb_internal_encoding()
- - mb_language()
- - mb_list_encodings()
- - mb_preferred_mime_name()
- - mb_regex_encoding()
- - mb_regex_set_options()
- - mb_split()
- - mb_substitute_character()

(*) Based on the different code while providing similar functionality.

Besides these scriptable functions, mbstring provides functionality that
automatically filters the form values given through a request URI or POSTed
content.  Because browsers may send characters of the form data that
cannot be
represented in the encoding used in the HTML document as HTML entities,  it
should be no surprise that an user has a PHP installation configured as


The vulnerability would be remotely exploitable in such a case.

Upgrade to version 5.2.8.  Note that the maintenance of 4.x series was

The following pieces are excerpts from the HTML-entity decoder code in
question (mbfilter_htmlent.c), where the decoder is implemented as a
callback function that is called against each characters of the input
string sequentially with a structure (mbfl_convert_filter) containing
the state of the decoder.

mbfl_convert_filter has a field named "output_function" that points to a
function to which the decoded data is passed on a per-character basis.  The
function is supposed to return a negative value on error.  It will most
fail if the argument is an Unicode value that is not designated to any

In particular, since the signature of the output_function is
int(*)(int, void *) though the buffer is an array of unsigned char,
every character code that is greater than 127 gets passed to the function
with its value negated and leads to unconditional failure.


#define CK(statement)   do { if ((statement) < 0) return (-1); } while (0)


int mbfl_filt_conv_html_dec(int c, mbfl_convert_filter *filter)
    if (!filter->status) {
    } else {
        if (c == ';') {
	    } else {
           /* add character */
            buffer[filter->status++] = c;
            /* add character and check */
            if (!strchr(html_entity_chars, c) ||
filter->status+1==html_enc_buffer_size || (c=='#' && filter->status>2))
                /* illegal character or end of buffer */
                if (c=='&')
                buffer[filter->status] = 0;
                /* php_error_docref("ref.mbstring" TSRMLS_CC, E_WARNING,
"mbstring cannot decode '%s'", buffer)l */
                if (c=='&')
                    filter->status = 1;
                    buffer[0] = '&';

int mbfl_filt_conv_html_dec_flush(mbfl_convert_filter *filter)
    int status, pos = 0;
    char *buffer;

    buffer = (char*)filter->opaque;
    status = filter->status;
    /* flush fragments */
    while (status--) {
        CK((*filter->output_function)(buffer[pos++], filter->data));
    filter->status = 0;
    /*filter->buffer = 0; of cause NOT*/
    return 0;


If an invalid character sequence that contains one or more characters
that are
not amongst html_entity_chars occurs in the input,  the invocation of the
output function within mbfl_filt_conv_html_dec_flush() will fail and
cause it
to go back to the caller short of resetting filter->status because of the
return statement in the CK() macro.  This eventually allows casual access to
the buffer in mbfl_filt_conv_html_dec().

2008-08      Vulnerability discovered during the investigation of bug
#45722 [3]
2008-09-13   Notified to the vendor via
2008-09-26   Vender responded
2008-10-16   Patch committed to the repository [4]
2008-12-04   PHP 5.3 alpha 3 and PHP 5.2.7 released
2008-12-08   PHP 5.2.8 released
2008-12-18   Reconfirmation sent to the vendor
2008-12-21   Public disclosure


Version: GnuPG v1.4.9 (GNU/Linux)
Comment: Using GnuPG with Mozilla -


Full-Disclosure - We believe in it.
Hosted and sponsored by Secunia -


Go to the Top of This SecurityTracker Archive Page

Home   |    View Topics   |    Search   |    Contact Us

This web site uses cookies for web analytics. Learn More

Copyright 2021, LLC