Lucene search

K

[email protected]CVE-2010-3870

HistoryNov 12, 2010 - 9:00 p.m.

CVE-2010-3870

2010-11-1221:00:00

CWE-20

[email protected]

web.nvd.nist.gov

80

2

php

vulnerability

utf8_decode

xss

sql injection

cve-2010-3870

nvd

6.5 Medium

AI Score

Confidence

Low

6.8 Medium

CVSS2

Access Vector

NETWORK

Access Complexity

MEDIUM

Authentication

NONE

Confidentiality Impact

PARTIAL

Integrity Impact

PARTIAL

Availability Impact

PARTIAL

AV:N/AC:M/Au:N/C:P/I:P/A:P

0.005 Low

EPSS

Percentile

74.9%

The utf8_decode function in PHP before 5.3.4 does not properly handle non-shortest form UTF-8 encoding and ill-formed subsequences in UTF-8 data, which makes it easier for remote attackers to bypass cross-site scripting (XSS) and SQL injection protection mechanisms via a crafted string.

CPENameOperatorVersion
php:phpphplt5.2.14
php:phpphplt5.3.4
canonical:ubuntu_linuxcanonical ubuntu linuxeq10.10
canonical:ubuntu_linuxcanonical ubuntu linuxeq9.10
canonical:ubuntu_linuxcanonical ubuntu linuxeq8.04
canonical:ubuntu_linuxcanonical ubuntu linuxeq10.04
canonical:ubuntu_linuxcanonical ubuntu linuxeq6.06

References

bugs.php.net/bug.php?id=48230

bugs.php.net/bug.php?id=49687

lists.apple.com/archives/security-announce/2011/Mar/msg00006.html

lists.fedoraproject.org/pipermail/package-announce/2011-January/052836.html

lists.fedoraproject.org/pipermail/package-announce/2011-January/052845.html

lists.opensuse.org/opensuse-security-announce/2010-12/msg00000.html

marc.info/?l=bugtraq&m=133469208622507&w=2

secunia.com/advisories/42410

secunia.com/advisories/42812

sirdarckcat.blogspot.com/2009/10/couple-of-unicode-issues-on-php-and.html

support.apple.com/kb/HT4581

svn.php.net/viewvc?view=revision&revision=304959

us2.php.net/manual/en/function.utf8-decode.php#83935

www.acunetix.com/blog/web-security-articles/security-risks-associated-with-utf8_decode/

www.blackhat.com/presentations/bh-usa-09/VELANAVA/BHUSA09-VelaNava-FavoriteXSS-SLIDES.pdf

www.mandriva.com/en/security/advisories?name=MDVSA-2010:224

www.openwall.com/lists/oss-security/2010/11/02/1

www.openwall.com/lists/oss-security/2010/11/02/11

www.openwall.com/lists/oss-security/2010/11/02/2

www.openwall.com/lists/oss-security/2010/11/02/4

www.openwall.com/lists/oss-security/2010/11/02/6

www.openwall.com/lists/oss-security/2010/11/02/8

www.openwall.com/lists/oss-security/2010/11/03/1

www.php.net/ChangeLog-5.php

www.redhat.com/support/errata/RHSA-2010-0919.html

www.redhat.com/support/errata/RHSA-2011-0195.html

www.securityfocus.com/bid/44605

www.securitytracker.com/id?1024797

www.ubuntu.com/usn/USN-1042-1

www.vupen.com/english/advisories/2010/3081

www.vupen.com/english/advisories/2011/0020

www.vupen.com/english/advisories/2011/0021

www.vupen.com/english/advisories/2011/0077

Social References

More

6.5 Medium

AI Score

Confidence

Low

6.8 Medium

CVSS2

Access Vector

NETWORK

Access Complexity

MEDIUM

Authentication

NONE

Confidentiality Impact

PARTIAL

Integrity Impact

PARTIAL

Availability Impact

PARTIAL

AV:N/AC:M/Au:N/C:P/I:P/A:P

0.005 Low

EPSS

Percentile

74.9%

Related for CVE-2010-3870

ubuntucve2 veracode1 openvas37 prion2 securityvulns6 nessus24 cve1 oraclelinux2 redhat2 osv1 debian1 centos1 ubuntu1 fedora6 f52 gentoo1