Vigil@nce: PHP, denial of service via grapheme_extract
February 2011 by Vigil@nce
This bulletin was written by Vigil@nce : http://vigilance.fr/
SYNTHESIS OF THE VULNERABILITY
When an attacker can change the second parameter of the PHP
grapheme_extract() function, he can stop the application.
– Severity: 1/4
– Creation date: 17/02/2011
IMPACTED PRODUCTS
– PHP
DESCRIPTION OF THE VULNERABILITY
A grapheme is a unit in a written language (a character in an
alphabetic language).
The grapheme_extract() function returns graphemes of a string:
grapheme_extract(string, max)
The second parameter indicates the maximal number of items to
return.
However, if the maximum is -1, the grapheme_extract() function
dereferences a NULL pointer.
When an attacker can change the second parameter of the PHP
grapheme_extract() function, he can therefore stop the application.
ACCESS TO THE COMPLETE VIGIL@NCE BULLETIN
http://vigilance.fr/vulnerability/PHP-denial-of-service-via-grapheme-extract-10376